(Changed title and first paragraph based on comment #2 below)

If I grant a staff user access to the admin pages so that they can get to /admin/content without having to know the URL (see related issue #2316905), they can edit the image toolkit JPEG setting.

Steps as admin:
1. Create role Staff
2. Create user Charles Belov
3. Assign Charles Belov to Staff role
4. Give Charles Belov the following permissions:
Access the Content overview page
View own unpublished content
View all revisions
Revert all revisions
Article: Create new content
Article: Edit own content
Article: Edit any content
Article: Delete own content
Article: Delete any content
Article: View revisions
Article: Revert revisions
Basic page: Create new content
Basic page: Edit own content
Basic page: Edit any content
Basic page: View revisions
Basic page: Revert revisions
Use the administration pages and help
View the administration theme
Edit terms in Tags
Use the administration toolbar

5. Save permissions

Steps as Charles Belov
1. Log in
2. Click Manage

Actual result: Content, Structure, Configuration, Help menu items
Expected result: Content, Help menu items

3. Click Configuration

Actual result: Image toolkit menu item
Expected result: Access denied

4. Click Image toolkit

Actual result: Screen to set JPEG quality
Expected result: Access denied

5. Change 75 to 42
6. Click Save configuration

Actual result: The configuration options have been saved
Expected result: Access denied

CommentFileSizeAuthor
#13 image-perm-2316203-13.patch540 bytestim.plunkett
#10 2316203-10.patch1.65 KBolli
#10 2316203-fail.patch1.12 KBolli
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Charles Belov’s picture

Charles Belov
he/him
Primary language English
Location San Francisco, CA, US
CreditAttribution: Charles Belov commented
Issue summary: View changes
tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented
Version: 8.x-dev » 8.0.x-dev

Use the administration pages and help

That's access administration pages and that's an admin permission.

Charles Belov’s picture

Charles Belov
he/him
Primary language English
Location San Francisco, CA, US
CreditAttribution: Charles Belov commented

Confirmed.

But it seems odd. That's a very specific function and there are other admin pages, e.g., /admin/content, that I would want staff to have access to (and will file as a related issue).

Charles Belov’s picture

Charles Belov
he/him
Primary language English
Location San Francisco, CA, US
CreditAttribution: Charles Belov commented
Title: Non-admin user has permission to configure Image Toolkit » Permission Use the administration pages and help grants permission to configure Image Toolkit
Issue summary: View changes
Charles Belov’s picture

Charles Belov
he/him
Primary language English
Location San Francisco, CA, US
CreditAttribution: Charles Belov commented
Title: Permission Use the administration pages and help grants permission to configure Image Toolkit » Permission "Use the administration pages and help" grants permission to configure Image Toolkit
Charles Belov’s picture

Charles Belov
he/him
Primary language English
Location San Francisco, CA, US
CreditAttribution: Charles Belov commented
Related issues: +#2316905: Non-admin can't get to list of content without knowing URL
Charles Belov’s picture

Charles Belov
he/him
Primary language English
Location San Francisco, CA, US
CreditAttribution: Charles Belov commented
Related issues: -#2316905: Non-admin can't get to list of content without knowing URL
Charles Belov’s picture

Charles Belov
he/him
Primary language English
Location San Francisco, CA, US
CreditAttribution: Charles Belov commented
Issue summary: View changes
tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented

That permission gives access to the following pages:

/admin/help
/admin/help/{name}
/admin/reports/status/rebuild
/admin
/admin/structure
/admin/config/media
/admin/config/services
/admin/config/development
/admin/config/regional
/admin/config/search
/admin/config/system
/admin/config/user-interface
/admin/config/workflow
/admin/config/content
/admin/config/media/image-toolkit
/admin/index
/admin/config
/admin/content
/admin/config/people

I think we should probably close this as "works as designed", and focus on the other issue.

olli’s picture

olli CreditAttribution: olli commented
Status: Active » Needs review
FileSize
2316203-fail.patch1.12 KB
2316203-10.patch1.65 KB

The permission was changed from 'administer administration pages' to 'access administration pages' in #2111263: Toolkit setup form displays settings for multiple toolkits.

The last submitted patch, 10: 2316203-fail.patch, failed testing.

Charles Belov’s picture

Charles Belov
he/him
Primary language English
Location San Francisco, CA, US
CreditAttribution: Charles Belov commented

I'll note in D7 I've given staff access to /admin and it doesn't give them access to any individually unauthorized functions, including the image toolkit JPEG setting.

That is, in my non-admin D7 login, with the admin page permission, I have access to:
/admin
/admin/content
/admin/structure
/admin/structure/nodequeue and subordinate links (Nodequeue module) (having granted permission by the admin)
/admin/config
/admin/config/search/redirect and subordinate links (Redirect module) (having granted permission by the admin)
/admin/help (although this one is not currently useful to a non-admin)

I do not have access to set the default JPEG compression ratio.

In any case, it appears that adding access to configure the JPEG compression ratio for this permission is a change from D7 to D8, and I'm puzzled that it's not a separate permission.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented
Component: image.module » system.module
Status: Needs review » Reviewed & tested by the community
FileSize
image-perm-2316203-13.patch540 bytes

I cross referenced the permissions in system.module from D7 to D8, and you're right! This one mysteriously changed. Probably a bad copy/paste.

Thanks @Charles Belov for persevering. That is indeed the correct fix.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented

Please disregard my patch, I completely crossposted with @olli in #10.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 13: image-perm-2316203-13.patch, failed testing.

tim.plunkett queued 10: 2316203-10.patch for re-testing.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented
Status: Needs work » Reviewed & tested by the community
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
Status: Reviewed & tested by the community » Fixed

Nice find!

Committed b9da0b6 and pushed to 2283977. Thanks!

olli’s picture

olli CreditAttribution: olli commented
Status: Fixed » Reviewed & tested by the community

pushed to 2283977

alexpott queued 13: image-perm-2316203-13.patch for re-testing.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented

Oops I committed this to my dev checkout hence the push to 2283977 lol.

The test fails are interesting - doing a retest.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
Status: Reviewed & tested by the community » Fixed

Oops patch in #10 is the rtbc one.

Committed e1e0ab2 and pushed to 8.0.x. Thanks!

  • alexpott committed e1e0ab2 on 8.0.x 
    Issue #2316203 by olli, tim.plunkett | Charles Belov: Fixed Permission "...

Status: Fixed » Needs work

The last submitted patch, 13: image-perm-2316203-13.patch, failed testing.

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett commented
Status: Needs work » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.