Hi Robin -
Thanks for the great module :) I've created a small patch to improve two tiny issues I've found with this module...
1) The main change is that an "administer add another" permission is added (instead of using core's own "access administration pages" permission). This is important since otherwise the extra Add Another module configuration appears to roles where it would likely be undesirable (e.g. many non site-builder or non-full-administrator roles may still need the "access administration pages" permission, so best not to allow module configuration at that permission level). It would be undesirable for instance, for an "editor" or "staff" role to be able to change the settings of Add Another module, however those roles almost certainly will have the "access administration pages" permission.
2) The other slight adjustment is changing the name of the "enable add another" permission to the more standard/familiar Drupal permission naming of "access add another" (the word access is almost always used in every Drupal module when the permission is to grant the use/access of the module to a role... keeping the naming consistent will help avoid confusion. The word "enable" here can be confusing, as even I wasn't sure what "enable" really meant in this context until I looked into it). Permissions should generally be named based on the action they will permit (e.g. to access something, edit something, etc).
To ensure the change has no requirement for users to reconfigure anything, I added a small database update function to the .install file (webchick showed me how to do it based on code from system.install). This ensures the roles that had "enable add another" get switched automatically to "access add another".
Hope this helps!
- David
Comment | File | Size | Author |
---|---|---|---|
#8 | addanother-improve_permissions2.patch | 5.27 KB | dnewkerk |
addanother-improve_permissions.patch | 4.02 KB | dnewkerk | |
Comments
Comment #1
andrewmacpherson CreditAttribution: andrewmacpherson commentedI agree with the second point that "enable add another" could be confusing. It can be construed as permission to configure the module; the admin page says 'Enable Add Another for these content types'.
"Access add another" sounds a bit odd, though. The user isn't granted access to any new parts of the website - they just becomes eligible to receive a message. Perhaps "Use Add Another" would work better?
Comment #2
andrewmacpherson CreditAttribution: andrewmacpherson commentedI've tried out the patch, and have some feedback about it.
For testing purposes, I granted authenticated users the new "administer add another" permission, but not the "access administration pages" permission. The new permissions work, but there are a couple of issues that would need further work.
1) How would such a user navigate to the Add Another admin page? It doesn't appear in the navigation menu, presumably because it's parent items are inaccessible without the "access administration pages" permission.
i.e.,
admin - access denied
admin/settings - access denied
admin/settings/addanother - access OK
admin/help/addanother - access denied
To be useful, a site administrator would need to provide a new link for users with the administer add another permission.
2) The [more help...] link leads to an access denied page; presumably for the same reason.
Comment #3
dnewkerk CreditAttribution: dnewkerk commentedHi Andrew, thanks for your feedback.
First regarding your previous post... I agree that "use" may make more sense than "access". I can reroll a patch for that.
For your second post...
1) Non-administrator or site builder roles should not be given permission to administer this module... Drupal does always "allow" any role to have "any" permission though... it's just how it works. Just as you could allow "administer search" or some other permission to authenticated users, you could do the same in this case - but you should not of course. And generally if you "are" giving administration related permissions to a role, you always have "access administration pages" permission as well. That confusing permission simply allows the first ground level of access to the admin paths, while not actually granting any specific permission to "do" anything.
The settings of Add Another module (administer add another) are not something any user besides UID 1 or a top level site builder/administrator role ever needs access to. The settings of the module affect all other users on the site and should only be exposed to privileged users. The only aspect of the module that should be exposed to regular end users is its actual function, which is to add an "Add another [node type]" link into the message area that appears after you submit a new node (so long as it is of a type determined by the site administrator). No other menus or pages of the module should be known or accessible to other users, just as (for example) admin/settings/search or other configuration pages should not be. For instance, with "access administration pages" permission disabled and core's "administer search" permission enabled, the path "admin/settings/search" is now accessible to the user, however no menu items, nor parent pages (e.g. /admin) are available.
2) You're right that the "more help..." link gives access denied in this case. This however is an issue with modules overall if "access administration pages" permission is not given. For example with the above configured example of "administer search" the same is true, where admin/help/search is access denied. This is not something we can fix (to my knowledge) in the module. As mentioned, when a role is being given administrative permissions, also giving the "access administration pages" permission is standard practice, which solves this issue. Personally I don't see or understand the value of the "access administration pages" permission at all, but that's how it currently works.
So to wrap up:
- I'll re-roll the patch to change the permission to "use" instead of "access".
- We can add additional documentation to inform users that "access administration pages" permission is a general prerequisite if the user is going to "administer add another", however there's nothing beyond that we can or should do in this module regarding that issue. The rest is up to core (e.g. submit issues against D7 regarding how to handle administration permissions, access to the help pages, etc).
Again thanks for the feedback, and let me know your thoughts on the above.
Comment #4
andrewmacpherson CreditAttribution: andrewmacpherson commentedThanks Keyz - it all makes sense now. I got it completely the wrong way round, didn't I?
I must've been drinking the wrong kind of tea yesterday ;-)
So, access administration pages is really a kind of gateway permission, just to get to see pages under the admin/* path... I hadn't realized that was all it did. (I had to try enabling only that permission to convince myself.)
In that case, yes, the new administer add another permission makes good sense. The [more help...] link thing was a total non-issue.
Let's hope that I have a more intelligent day today. I'm drinking Yorkshire Tea - like tea used to be.
Comment #5
andrewmacpherson CreditAttribution: andrewmacpherson commentedforgot to update the status
Comment #6
andrewmacpherson CreditAttribution: andrewmacpherson commentedSlightly off-topic, but did have you tried out the Site Configuration Permissions module? It provides finer-grained permissions for accessing all of the pages governed by the core administer site configuration. Mighty useful, especially for limiting access to the admin/build/modules.
Comment #7
Robin Monks CreditAttribution: Robin Monks commentedWaiting for the re-roll.
--Robin
Comment #8
dnewkerk CreditAttribution: dnewkerk commentedMade the mentioned changes and re-rolled patch. Re-roll also includes a few minor code style adjustments that Coder module caught.
Have tested applying the patch and running the update, and it appears to be perfect... if anyone can take a moment to apply the patch and confirm that would be excellent :)
Comment #9
andrewmacpherson CreditAttribution: andrewmacpherson commentedI've tried the updated patch, and confirm it works as expected, including update from 6.x-1.3 release.
Comment #10
Robin Monks CreditAttribution: Robin Monks commentedPatch applied to 6.x branch, a new release will be rolled shortly.
Major kudos to Keyz/David for the patch, and such a speedy re-roll!
--Robin
Comment #12
dnewkerk CreditAttribution: dnewkerk commentedHi Robin... any chance of a new release soon?
Thanks :)
Comment #13
dnewkerk CreditAttribution: dnewkerk commentedHello Robin, just checking in as it's been a while. Would you mind please rolling out an official release? I like using this module for a variety of my sites and client sites and would prefer to not keep juggling the custom patched copy. If by chance you've decided not to maintain this module any further, please let me know and I would be happy to co-maintain.
Thanks!
Comment #14
Robin Monks CreditAttribution: Robin Monks commentedAddAnother 6.x-1.4 is now released.
Thanks!
--Robin