The title says it all. Try playing around with giving users limited admin permissions, and you'll run into this immediately. Some of the bugs and/or unintuitive access settings I observed are:

1) Give a user access to "administer actions". The user cannot administer actions.

2) Give the user additional access to "access administration pages". The user still cannot reach the administer actions page, but on the administration menu, "Content Management" shows up- however, if you click on it, you get an empty page with the title "Content Management" but not items under it.

3) Give the user additional access to "administer site configuration". Now, things start showing up. However, when you click on site building -> triggers, you get an access_denied message on /admin/build/triggers/node. However, things like /admin/build/triggers/comment show up. This completely baffled me the first time I saw it.

4) Unassign the user from "administer site configuration" but assign the user to "administer permissions". Now, on the administration overview page (/admin/), the user management -> permissions link is not displayed; it is also not on the menu. However, if you manually (You can do that?) go to the permissions administration page, it displays without a problem.

5) Number 4 seems to be the early symptoms of a deeper problem: a menu item does not appear to be displayed if the user is denied access to its parent item. However, it should still be displayed: for example, if the user does not have access to go to the user management page, but DOES have access to go to the permissions page, the permissions menu item should "fall back" onto the "Admin" menu item.

6) The problems in #4 extend to contributed modules: for example, I have the simpletest module installed: I give my user additional access to administer unit testing, and the menu items do not appear. If you switch into the "By Module" view, however, they display fine.

The further I seemed to delve into this, the more problems I seemed to find. The underlying problem seems to be with the menu system's idea of inheritance of access - which has proven faulty in many situations.

This is sure to cause tons of agony for first-time users who don't even deeply understand the system; if you assign the user role that you actually plan to use the permission to "administer permissions", you expect to see a menu item "Administer Permissions", or at least a link on the Admin page.

Not to mention the fact that the support requests would drive us all insane.

This is marked critical because Drupal 6 can definitely not be released with the access system in this state.

CommentFileSizeAuthor
#8 menu_inheritance_went_berserk.patch9.59 KBchx
#7 menu_inheritance_went_berserk.patch8.97 KBchx
#6 menu_inheritance_went_berserk.patch8.03 KBchx
#1 access_control.patch7.13 KBchx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

chx’s picture

chx CreditAttribution: chx commented
Status: Active » Needs review
FileSize
access_control.patch7.13 KB

While the bubbling in 5 won't happen, I have rearranged permissions to be more sane. acess administration pages now gives you access to admin and all second level pages under that and nothing else. Give this permission to your administrators. There is one new string in the patch because I have added a new permission for admin/reports , hope this is acceptable. The other change in system_admin_menu_block_page reuses a string from system_main_admin_page.

I enabled all core modules and there is no other module to patch but system.

Rowanw’s picture

Rowanw CreditAttribution: Rowanw commented

It does appear to be broken, especially when compared to Drupal 5.x.

Drupal 5.x:
1. Give authenticated users permission to 'administer blocks'
2. Log in as an authenticated user and you get a lone 'Blocks' menu item in the User menu

Drupal 6.x
Do the same as above, and you don't get any new menu items in the User menu.

Rowanw’s picture

Rowanw CreditAttribution: Rowanw commented
Title: User permissions for admin access settings are completely unintuitive and extremely buggy » User menu does not reflect user permissions
Status: Needs review » Needs work

Applied patch #1 and it helps. However, the user still sees irrelevant menu items in their user menu (things they can't edit), while the administer page only displays what can be edited. The user won't know why the page is different from the menu.

cwgordon7’s picture

cwgordon7 CreditAttribution: cwgordon7 commented
Title: User menu does not reflect user permissions » User permissions for admin access settings are completely unintuitive and extremely buggy

Notes:

-Same error at admin/build/trigger/node. In fact, even if I give the test user all available permissions, access is still denied.
-Even if we don't have menu bubbling in Drupal 6, the admin overview page should definitely bubble. Even if I don't have access to the user management overview page (which, by the way, is not included in your patch for some reason), but do have access to the permissions page, there should be a nice "user management" block that shows up anyway with "permissions" as an option.
-If the user can access the admin overview page, but does not have any available items, your error message should be displayed.
-Consider if the /admin/user/ overview page should be included in this patch.

Setting back to needs work.

cwgordon7’s picture

cwgordon7 CreditAttribution: cwgordon7 commented
Title: User permissions for admin access settings are completely unintuitive and extremely buggy » User menu does not reflect user permissions

Sorry, Rowanw, I must have been posting at the same time as you by mistake. Setting back to your title. Sorry!

chx’s picture

chx CreditAttribution: chx commented
Title: User menu does not reflect user permissions » Absolute breaker: menu inheritance is broken (and admin pages needs better permissions)
FileSize
menu_inheritance_went_berserk.patch8.03 KB

Huh! I tried to trace down why we added these three lines to menu.inc before inheriting but it totally escapes me. Seems pwolanin was unaware of this change despite it's his patch where it first appears. There is no way this is intentional, it goes against everything sane and the documentation at http://drupal.org/node/109157

If there is no access callback, even after applying the inheritance rule but the access arguments are defined then the system will add user_access for you

after not before! WTF?!

chx’s picture

chx CreditAttribution: chx commented
Status: Needs work » Needs review
FileSize
menu_inheritance_went_berserk.patch8.97 KB

I have fixed up users module, too.

chx’s picture

chx CreditAttribution: chx commented
FileSize
menu_inheritance_went_berserk.patch9.59 KB

I so love simpletest automator because it lets me create users with specific permissions with as few click as it is possible.

snufkin’s picture

snufkin CreditAttribution: snufkin commented
Status: Needs review » Reviewed & tested by the community

It seems to solve the problem mentioned earlier, using the patch the trigger simpletest runs without problems. I tried adding different privileges to auth user, those worked fine too.

Also on the administration page only those items showed up I assigned the user to, and the user was able to administer those sections. None of the initial problems repeated, so i'm marking it RTBC.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented

reviewing now. In terms of the new string - maybe 'You do not have any administrative items.' should this be 'You do not have access to any administrative items.' or 'You do not have permission to perform any administrative tasks.'

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented

Hmm - interesting - maybe not really for this patch, but for page where the user doesn't have acess to any of the children, it still shows up in the menu with an arrow

Dries’s picture

Dries CreditAttribution: Dries commented

I agree that "You do not have permission to perform any administrative tasks." sounds better. Should be a trivial change.

I have not tested this patch but I asked cwgordon7 (original reporter) to give it a good try.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented

I've been using it for mentoring cwgordon7, and it at least allows actions to works (combined with this patch: http://drupal.org/node/203846) and the changes look reasonable. I'll try to do some more functional testing today.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Alright, thanks for pointing out your relation with cwgordon7. I committed the fix. Thanks all.

Dries’s picture

Dries CreditAttribution: Dries commented

Alright, thanks for pointing out your relation with cwgordon7. I committed the fix. Thanks all.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

chowzer’s picture

chowzer CreditAttribution: chowzer commented

Hi, I need some help here please.

I uploaded some new ver6.1 modules for my new Drupal V6.1 site. I went into the Administer menu to activate the modules but got a blank page with the two lines:
"Welcome to the administration section. Here you may control how your site functions.
You do not have any administrative items."

I deleted all the uploaded modules but the problem still persists.

I found this thread and wonder if the patches available here will help resolve my problem so that I can get my site back to before I uploaded the modules.

The other question is how do I apply the patches? I have searched the forum for the answer to this and the patch application process sounds really complicated. Is there a simpler way to apply the patch other than command lines which I'm not familiar with, being a non-programmer?

Thanks in advance for any help rendered :)

cwgordon7’s picture

cwgordon7 CreditAttribution: cwgordon7 commented

The patch has already been applied.

Oddly, the same thing happened to me. But try as I might, I could not reproduce on a fresh install.

Rowanw’s picture

Rowanw CreditAttribution: Rowanw commented

The other question is how do I apply the patches? I have searched the forum for the answer to this and the patch application process sounds really complicated. Is there a simpler way to apply the patch other than command lines which I'm not familiar with, being a non-programmer?

As far as I know the only way to apply a patch is with the command line, but it's not too difficult to learn if you put the effort in.

The documentation for applying patches is at http://drupal.org/patch/apply

chowzer’s picture

chowzer CreditAttribution: chowzer commented

Hi Rowanw

Thank you for your reply. Guess I will have to learn a new trick here to resolve this issue. Hopefully the patch will help.

cwgordon7’s picture

cwgordon7 CreditAttribution: cwgordon7 commented

But...

Apparently you were not listening to me. The patch has already been applied. There is nothing further to do here. :P

So, not only will the patch not help, it CANNOT help, because it has ALREADY BEEN APPLIED. This means that the code you are working with already has the patch applied. So if you attempt to apply the patch, you will get a failure notice, because the original code that this patch patched is no longer there, as it has already been patched by this patch. Nothing left in this issue can help you.

kenorb’s picture

kenorb CreditAttribution: kenorb commented

#17:
You may also rebuild menu_router by DTools (wsod)
See also: #514898: "You do not have any administrative items." - Callback: system_main_admin_page() doesn't exist!