I think there's a need for a more fine grained permission to access nodeorder global settings.
Currently, the path admin/settings/nodeorder is bound to the global permission "access administration pages". Thus, If I grant a restricted user that permission (to allow access to the admin home, for example), it'll grant him the rights to modify nodeorder settings.
I added the permission "administer nodeorder" for that purpose. Patch will follow.
Comment | File | Size | Author |
---|---|---|---|
#9 | D6-nodeorder-perm-admin-nodeorder-795620-9.patch | 746 bytes | j0rd |
#9 | D7-nodeorder-perm-admin-nodeorder-795620-9.patch | 1.08 KB | j0rd |
#6 | nodeorder_795620_6.patch | 967 bytes | scottrigby |
#1 | perm_administer_nodeorder.diff | 927 bytes | garphy |
Comments
Comment #1
garphy CreditAttribution: garphy commentedPatch attached.
Comment #2
gooddesignusa CreditAttribution: gooddesignusa commentedpatch applied without any problems but doesn't seem to work correctly. inside the permissions page under nodeorder i see "contributions/modules/nodeorder" instead of "administer nodeorder"
I used applied the patch to version 6.x-1.1. Do i need to clear cache or something after I copied the new version of nodeorder.module?
This patch is exactly what I need. Thanks a lot
Comment #3
garphy CreditAttribution: garphy commentedIndeed, there's a problem with my patch. I'll reroll it quickly !
Comment #4
marcus_clements CreditAttribution: marcus_clements commentedPlease add this feature - I needed this change myself.
Comment #5
gooddesignusa CreditAttribution: gooddesignusa commentedAny news on the reroll of the patch?
Comment #6
scottrigbyre-rolled patch
Comment #7
gooddesignusa CreditAttribution: gooddesignusa commentedthank you scottrigby :)
Comment #8
j0rd CreditAttribution: j0rd commentedThis is actually a security leak. "access administration pages", simply allows the user to do just that "access administration pages". This is an option which is used to provide access to admin section for the end user. It's a permission that's needed in conjunction with admin_menu to display the admin menu at the top.
No other modules I have installed on my site, leak permissions except for nodeorder based off this permission. I would recommend changing it to a more fine grained like "admin nodeorder", or changing it to "administer site configuration", which is the more appropriate "generic admin" permissions.
Comment #9
j0rd CreditAttribution: j0rd commentedPatch #6 is no good.
Here's two patches (D6 & D7) which provide this functionality. Also added a description for other nodeorder permission in D7.
Comment #12
dieuweBoth patches committed.