The access permissions for the configuration screen are too open and allow anonymous users to view the Exempt the following views from using GET ajax. form and make changes to the module configuration.

To reproduce:
Navigate to admin/config/system/views_ajax_get as an anonymous user
Save the configuration form

Expected behaviour:
When I am an anonymous user I cannot see or modify configuration options for the module.

CommentFileSizeAuthor
#7 admin-config-menu-permissions-hook-permission-2376925-7.patch1.02 KBsteveworley
#5 admin-config-menu-permissions-hook-permission-2376925-5.patch1 KBsteveworley
#5 admin-config-menu-permissions-2376925-5.patch516 bytessteveworley
#1 admin-config-menu-permissions-2376925-1.patch529 bytessteveworley

Comments

steveworley’s picture

steveworley commented
Status: Active » Needs review
StatusFileSize
new admin-config-menu-permissions-2376925-1.patch529 bytes

Here is my proposed permission.

Thanks,
Steve

steveworley’s picture

steveworley commented
Issue summary: View changes
leon kessler’s picture

leon kessler commented

Good spot! Thanks.

I think we probably want a more specific permission than 'administer site configuration'.
It could be 'administer views', or maybe we should define our own permission.

leon kessler’s picture

leon kessler commented
Status: Needs review » Needs work
steveworley’s picture

steveworley commented
StatusFileSize
new admin-config-menu-permissions-2376925-5.patch516 bytes
new admin-config-menu-permissions-hook-permission-2376925-5.patch1 KB

Yeah I wasn't too happy with 'administer site configuration', can't believe I missed 'administer views'. Personally I think it would make sense to use that as opposed to defining a new one unless you can see future use cases where a more specific permission would come in handy.

Two patches:
- admin-config-menu-permissions-2376925-5.patch has 'administer views` permission
- admin-config-menu-permissions-hook-permission-2376925-5.patch has 'administer views get' and the hook_permission implementation to define it

leon kessler’s picture

leon kessler commented

Thanks.

I prefer the approach of having our own defined permission. A site admin may want to give their users access to administer views, but still hide the views_ajax_get configuration page (as it could be confusing and not make sense to them).

One thing though, the permission should be 'administer views ajax get' rather than 'administer views get'

steveworley’s picture

steveworley commented
StatusFileSize
new admin-config-menu-permissions-hook-permission-2376925-7.patch1.02 KB

Updated the patch to use 'administer views ajax get' for the permission.

  • leon.nk committed 51a00fe on 7.x-1.x authored by steveworley 
    Issue #2376925 by steveworley: Configuration access permissions too...
leon kessler’s picture

leon kessler commented
Status: Needs work » Fixed

Awesome, thanks so much.

Added to dev and and to new release 7.x-1.2.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.