(Changed title and first paragraph based on comment #2 below)
If I grant a staff user access to the admin pages so that they can get to /admin/content without having to know the URL (see related issue #2316905), they can edit the image toolkit JPEG setting.
Steps as admin:
1. Create role Staff
2. Create user Charles Belov
3. Assign Charles Belov to Staff role
4. Give Charles Belov the following permissions:
Access the Content overview page
View own unpublished content
View all revisions
Revert all revisions
Article: Create new content
Article: Edit own content
Article: Edit any content
Article: Delete own content
Article: Delete any content
Article: View revisions
Article: Revert revisions
Basic page: Create new content
Basic page: Edit own content
Basic page: Edit any content
Basic page: View revisions
Basic page: Revert revisions
Use the administration pages and help
View the administration theme
Edit terms in Tags
Use the administration toolbar
5. Save permissions
Steps as Charles Belov
1. Log in
2. Click Manage
Actual result: Content, Structure, Configuration, Help menu items
Expected result: Content, Help menu items
3. Click Configuration
Actual result: Image toolkit menu item
Expected result: Access denied
4. Click Image toolkit
Actual result: Screen to set JPEG quality
Expected result: Access denied
5. Change 75 to 42
6. Click Save configuration
Actual result: The configuration options have been saved
Expected result: Access denied
Comment | File | Size | Author |
---|---|---|---|
#10 | 2316203-10.patch | 1.65 KB | olli |
#10 | 2316203-fail.patch | 1.12 KB | olli |
Comments
Comment #1
Charles BelovComment #2
tim.plunkettUse the administration pages and help
That's
access administration pages
and that's an admin permission.Comment #3
Charles BelovConfirmed.
But it seems odd. That's a very specific function and there are other admin pages, e.g., /admin/content, that I would want staff to have access to (and will file as a related issue).
Comment #4
Charles BelovComment #5
Charles BelovComment #6
Charles BelovComment #7
Charles BelovComment #8
Charles BelovComment #9
tim.plunkettThat permission gives access to the following pages:
I think we should probably close this as "works as designed", and focus on the other issue.
Comment #10
olli CreditAttribution: olli commentedThe permission was changed from 'administer administration pages' to 'access administration pages' in #2111263: Toolkit setup form displays settings for multiple toolkits.
Comment #12
Charles BelovI'll note in D7 I've given staff access to /admin and it doesn't give them access to any individually unauthorized functions, including the image toolkit JPEG setting.
That is, in my non-admin D7 login, with the admin page permission, I have access to:
/admin
/admin/content
/admin/structure
/admin/structure/nodequeue and subordinate links (Nodequeue module) (having granted permission by the admin)
/admin/config
/admin/config/search/redirect and subordinate links (Redirect module) (having granted permission by the admin)
/admin/help (although this one is not currently useful to a non-admin)
I do not have access to set the default JPEG compression ratio.
In any case, it appears that adding access to configure the JPEG compression ratio for this permission is a change from D7 to D8, and I'm puzzled that it's not a separate permission.
Comment #13
tim.plunkettI cross referenced the permissions in system.module from D7 to D8, and you're right! This one mysteriously changed. Probably a bad copy/paste.
Thanks @Charles Belov for persevering. That is indeed the correct fix.
Comment #14
tim.plunkettPlease disregard my patch, I completely crossposted with @olli in #10.
Comment #17
tim.plunkettComment #18
alexpottNice find!
Committed b9da0b6 and pushed to 2283977. Thanks!
Comment #19
olli CreditAttribution: olli commentedComment #21
alexpottOops I committed this to my dev checkout hence the push to 2283977 lol.
The test fails are interesting - doing a retest.
Comment #22
alexpottOops patch in #10 is the rtbc one.
Committed e1e0ab2 and pushed to 8.0.x. Thanks!
Comment #25
tim.plunkett