Problem/Motivation
There is some inconsistency on how we show links on hook_permission functions. On some places we use user_access on the menu to make sure the user can access the link, on some places we don't. Specifically, such a call was removed from filter_permission as documented on this issue: https://drupal.org/node/1684930.
Proposed resolution
We can either add that check to such functions, like the check that was removed from filter_permission. The fear is that it doesn't feel right to do a user check on a hook info function that is defining the permissions. As mentioned by @dawehner (in [this comment](https://drupal.org/node/1684930#comment-6905328)) user_access does not call hook_permission, but doing a check does block it from being cached for every user. Right now seems like hook_permission is not bein cached. The other places where I could find links that used a user_access call in the hook_permission function where file and node modules:
git grep -A 40 'hook_perm' | grep user_access
core/modules/file/file.module- 'description' => user_access('access files overview')
core/modules/node/node.module- 'description' => user_access('access content overview')
Remaining tasks
Either remove user_access calls from file and node hook_permission modules, or add it back to filter_permission and look for other possible candidates.
I would vouch for removing it for consistency.
Comments
Comment #1
g3r4 CreditAttribution: g3r4 commentedI'll work on a patch to solve this issue
Comment #2
g3r4 CreditAttribution: g3r4 commentedI removed the calls to user_access on the file.module and the node.module files, sending patch for testing and discussion
Comment #3
g3r4 CreditAttribution: g3r4 commentedComment #4
joshi.rohit100for consistency, changed '@url' to '!url'
Please review now.
Comment #5
g3r4 CreditAttribution: g3r4 commented_
Comment #6
amitgoyal CreditAttribution: amitgoyal commentedurl() has been replaced with \Drupal:url() as per D8 standard.
As there is no routing info available for admin/content/files so that has not been updated in file.module.
Comment #7
jackbravo CreditAttribution: jackbravo commentedThe patch works ok for me, and it is pretty easy and straightforward. Marking as RTBC.
Comment #10
joshi.rohit100status change
Comment #11
jackbravo CreditAttribution: jackbravo commentedComment #12
chx CreditAttribution: chx commentedI looked at this patch and do not readily see any security implications despite the very scary title :)
Comment #13
David_Rothstein CreditAttribution: David_Rothstein commentedFixing the inconsistency in this direction is fixing a bug that doesn't exist ("uncacheability" of something that's never cached, and probably doesn't have much reason to ever want to cache?)... and in exchange it introduces an actual user-facing bug: more 403 errors for users following links in the admin interface.
Fixing it the other way removes the existing 403 errors, in exchange for some code complexity.
But it's rare for an admin to be able to see the permission page and not see these other pages, and also there are probably plenty of other similar 403 errors elsewhere in the admin interface (links in help text?), so just saying we're going to consistently show them the link in these situations regardless of whether they can access it is probably not so terrible.
Comment #14
alexpottAlso an admin knowing that there is functionality they don't have permission to access is useful information.
Committed 3e34d84 and pushed to 8.x. Thanks!
Comment #16
David_Rothstein CreditAttribution: David_Rothstein commentedAs discussed in #1684930: Add description to "administer filters" permission this could perhaps be backported (or at least it could be discussed)? It wouldn't break any translations, since it would just remove some translatable strings.
I'm not sure Drupal 7 actually has an inconsistency currently though (everything I saw, at least on a standard install, does check the permissions). Also, it just occurred to me that to the extent that contrib modules are following core's pattern, we might not want to change it out from underneath them...
Comment #17
er.pushpinderrana CreditAttribution: er.pushpinderrana commented@David_Rothstein, I have removed
user_access()
from node_permission function in node.module but in file.module there is no hook_permission found.Please review attached patch for D7.
Comment #18
er.pushpinderrana CreditAttribution: er.pushpinderrana commentedSorry forget to attach patch. Here is patch.
Comment #19
David_Rothstein CreditAttribution: David_Rothstein commentedThat looks right to me.. but I know there's (at least) one more place in the D7 codebase where user_access() is used in hook_permission(): the Filter module (since that's what kicked off this issue in the first place).
Comment #20
joshi.rohit100updated the patch with user_access() remove from hook_permission() in filter module.
Comment #21
amonteroPatch review:
Patch is OK.
Notice: linked below there is a postponed issue awaiting to completion of this one.
#1684930: Add description to "administer filters" permission
Comment #24
David_Rothstein CreditAttribution: David_Rothstein commentedTestbot fluke.
Comment #25
David_Rothstein CreditAttribution: David_Rothstein commentedOK, it sounds like this is the direction people want to go in, so let's do this.
I enabled all core modules and looked at the Permissions page and didn't see any others that had links with a permission check on them, so this looks good.
Committed to 7.x - thanks!
Made this fix on commit, since the code comment was no longer correct:
Comment #28
kenorb CreditAttribution: kenorb commented