I think there's a need for a more fine grained permission to access nodeorder global settings.

Currently, the path admin/settings/nodeorder is bound to the global permission "access administration pages". Thus, If I grant a restricted user that permission (to allow access to the admin home, for example), it'll grant him the rights to modify nodeorder settings.

I added the permission "administer nodeorder" for that purpose. Patch will follow.

CommentFileSizeAuthor
#9 D6-nodeorder-perm-admin-nodeorder-795620-9.patch746 bytesj0rd
#9 D7-nodeorder-perm-admin-nodeorder-795620-9.patch1.08 KBj0rd
#6 nodeorder_795620_6.patch967 bytesscottrigby
#1 perm_administer_nodeorder.diff927 bytesgarphy
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

garphy’s picture

garphy CreditAttribution: garphy commented
FileSize
perm_administer_nodeorder.diff927 bytes

Patch attached.

gooddesignusa’s picture

gooddesignusa CreditAttribution: gooddesignusa commented

patch applied without any problems but doesn't seem to work correctly. inside the permissions page under nodeorder i see "contributions/modules/nodeorder" instead of "administer nodeorder"

I used applied the patch to version 6.x-1.1. Do i need to clear cache or something after I copied the new version of nodeorder.module?

This patch is exactly what I need. Thanks a lot

garphy’s picture

garphy CreditAttribution: garphy commented

Indeed, there's a problem with my patch. I'll reroll it quickly !

marcus_clements’s picture

marcus_clements CreditAttribution: marcus_clements commented

Please add this feature - I needed this change myself.

gooddesignusa’s picture

gooddesignusa CreditAttribution: gooddesignusa commented

Any news on the reroll of the patch?

scottrigby’s picture

scottrigby
he/him
Primary language English
Location Brooklyn, NY
CreditAttribution: scottrigby commented
Version: 6.x-1.1 » 6.x-1.x-dev
Status: Active » Needs review
FileSize
nodeorder_795620_6.patch967 bytes

re-rolled patch

gooddesignusa’s picture

gooddesignusa CreditAttribution: gooddesignusa commented

thank you scottrigby :)

j0rd’s picture

j0rd CreditAttribution: j0rd commented

This is actually a security leak. "access administration pages", simply allows the user to do just that "access administration pages". This is an option which is used to provide access to admin section for the end user. It's a permission that's needed in conjunction with admin_menu to display the admin menu at the top.

No other modules I have installed on my site, leak permissions except for nodeorder based off this permission. I would recommend changing it to a more fine grained like "admin nodeorder", or changing it to "administer site configuration", which is the more appropriate "generic admin" permissions.

j0rd’s picture

j0rd CreditAttribution: j0rd commented
Issue tags: +Security
FileSize
D7-nodeorder-perm-admin-nodeorder-795620-9.patch1.08 KB
D6-nodeorder-perm-admin-nodeorder-795620-9.patch746 bytes

Patch #6 is no good.

Here's two patches (D6 & D7) which provide this functionality. Also added a description for other nodeorder permission in D7.

  • dieuwe committed 17bf870 on 6.x-1.x authored by j0rd 
    Issue #795620, by garphy and j0rd: More fine grained administrative...

  • dieuwe committed 97538ab on 7.x-1.x authored by j0rd 
    Issue #795620, by garphy and j0rd: More fine grained administrative...
dieuwe’s picture

dieuwe
Location Auckland, NZ
CreditAttribution: dieuwe commented
Version: 6.x-1.x-dev » 7.x-1.x-dev
Issue summary: View changes
Status: Needs review » Fixed

Both patches committed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.