Hi Robin -

Thanks for the great module :) I've created a small patch to improve two tiny issues I've found with this module...

1) The main change is that an "administer add another" permission is added (instead of using core's own "access administration pages" permission). This is important since otherwise the extra Add Another module configuration appears to roles where it would likely be undesirable (e.g. many non site-builder or non-full-administrator roles may still need the "access administration pages" permission, so best not to allow module configuration at that permission level). It would be undesirable for instance, for an "editor" or "staff" role to be able to change the settings of Add Another module, however those roles almost certainly will have the "access administration pages" permission.

2) The other slight adjustment is changing the name of the "enable add another" permission to the more standard/familiar Drupal permission naming of "access add another" (the word access is almost always used in every Drupal module when the permission is to grant the use/access of the module to a role... keeping the naming consistent will help avoid confusion. The word "enable" here can be confusing, as even I wasn't sure what "enable" really meant in this context until I looked into it). Permissions should generally be named based on the action they will permit (e.g. to access something, edit something, etc).

To ensure the change has no requirement for users to reconfigure anything, I added a small database update function to the .install file (webchick showed me how to do it based on code from system.install). This ensures the roles that had "enable add another" get switched automatically to "access add another".

Hope this helps!

- David

CommentFileSizeAuthor
#8 addanother-improve_permissions2.patch5.27 KBdnewkerk
addanother-improve_permissions.patch4.02 KBdnewkerk
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

andrewmacpherson’s picture

andrewmacpherson CreditAttribution: andrewmacpherson commented

I agree with the second point that "enable add another" could be confusing. It can be construed as permission to configure the module; the admin page says 'Enable Add Another for these content types'.

"Access add another" sounds a bit odd, though. The user isn't granted access to any new parts of the website - they just becomes eligible to receive a message. Perhaps "Use Add Another" would work better?

andrewmacpherson’s picture

andrewmacpherson CreditAttribution: andrewmacpherson commented
Status: Active » Needs work

I've tried out the patch, and have some feedback about it.

For testing purposes, I granted authenticated users the new "administer add another" permission, but not the "access administration pages" permission. The new permissions work, but there are a couple of issues that would need further work.

1) How would such a user navigate to the Add Another admin page? It doesn't appear in the navigation menu, presumably because it's parent items are inaccessible without the "access administration pages" permission.

i.e.,
admin - access denied
admin/settings - access denied
admin/settings/addanother - access OK
admin/help/addanother - access denied

To be useful, a site administrator would need to provide a new link for users with the administer add another permission.

2) The [more help...] link leads to an access denied page; presumably for the same reason.

dnewkerk’s picture

dnewkerk CreditAttribution: dnewkerk commented

Hi Andrew, thanks for your feedback.

First regarding your previous post... I agree that "use" may make more sense than "access". I can reroll a patch for that.

For your second post...

1) Non-administrator or site builder roles should not be given permission to administer this module... Drupal does always "allow" any role to have "any" permission though... it's just how it works. Just as you could allow "administer search" or some other permission to authenticated users, you could do the same in this case - but you should not of course. And generally if you "are" giving administration related permissions to a role, you always have "access administration pages" permission as well. That confusing permission simply allows the first ground level of access to the admin paths, while not actually granting any specific permission to "do" anything.

The settings of Add Another module (administer add another) are not something any user besides UID 1 or a top level site builder/administrator role ever needs access to. The settings of the module affect all other users on the site and should only be exposed to privileged users. The only aspect of the module that should be exposed to regular end users is its actual function, which is to add an "Add another [node type]" link into the message area that appears after you submit a new node (so long as it is of a type determined by the site administrator). No other menus or pages of the module should be known or accessible to other users, just as (for example) admin/settings/search or other configuration pages should not be. For instance, with "access administration pages" permission disabled and core's "administer search" permission enabled, the path "admin/settings/search" is now accessible to the user, however no menu items, nor parent pages (e.g. /admin) are available.

2) You're right that the "more help..." link gives access denied in this case. This however is an issue with modules overall if "access administration pages" permission is not given. For example with the above configured example of "administer search" the same is true, where admin/help/search is access denied. This is not something we can fix (to my knowledge) in the module. As mentioned, when a role is being given administrative permissions, also giving the "access administration pages" permission is standard practice, which solves this issue. Personally I don't see or understand the value of the "access administration pages" permission at all, but that's how it currently works.

So to wrap up:
- I'll re-roll the patch to change the permission to "use" instead of "access".
- We can add additional documentation to inform users that "access administration pages" permission is a general prerequisite if the user is going to "administer add another", however there's nothing beyond that we can or should do in this module regarding that issue. The rest is up to core (e.g. submit issues against D7 regarding how to handle administration permissions, access to the help pages, etc).

Again thanks for the feedback, and let me know your thoughts on the above.

andrewmacpherson’s picture

andrewmacpherson CreditAttribution: andrewmacpherson commented

Thanks Keyz - it all makes sense now. I got it completely the wrong way round, didn't I?

I must've been drinking the wrong kind of tea yesterday ;-)

So, access administration pages is really a kind of gateway permission, just to get to see pages under the admin/* path... I hadn't realized that was all it did. (I had to try enabling only that permission to convince myself.)

In that case, yes, the new administer add another permission makes good sense. The [more help...] link thing was a total non-issue.

Let's hope that I have a more intelligent day today. I'm drinking Yorkshire Tea - like tea used to be.

andrewmacpherson’s picture

andrewmacpherson CreditAttribution: andrewmacpherson commented
Status: Needs work » Reviewed & tested by the community

forgot to update the status

andrewmacpherson’s picture

andrewmacpherson CreditAttribution: andrewmacpherson commented

Slightly off-topic, but did have you tried out the Site Configuration Permissions module? It provides finer-grained permissions for accessing all of the pages governed by the core administer site configuration. Mighty useful, especially for limiting access to the admin/build/modules.

Robin Monks’s picture

Robin Monks CreditAttribution: Robin Monks commented
Status: Reviewed & tested by the community » Needs work

Waiting for the re-roll.

--Robin

dnewkerk’s picture

dnewkerk CreditAttribution: dnewkerk commented
Status: Needs work » Needs review
FileSize
addanother-improve_permissions2.patch5.27 KB

Made the mentioned changes and re-rolled patch. Re-roll also includes a few minor code style adjustments that Coder module caught.
Have tested applying the patch and running the update, and it appears to be perfect... if anyone can take a moment to apply the patch and confirm that would be excellent :)

andrewmacpherson’s picture

andrewmacpherson CreditAttribution: andrewmacpherson commented

I've tried the updated patch, and confirm it works as expected, including update from 6.x-1.3 release.

Robin Monks’s picture

Robin Monks CreditAttribution: Robin Monks commented
Status: Needs review » Fixed

Patch applied to 6.x branch, a new release will be rolled shortly.

Major kudos to Keyz/David for the patch, and such a speedy re-roll!

--Robin

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

dnewkerk’s picture

dnewkerk CreditAttribution: dnewkerk commented

Hi Robin... any chance of a new release soon?
Thanks :)

dnewkerk’s picture

dnewkerk CreditAttribution: dnewkerk commented
Title: Patch to improve permissions - please review » Patch to improve permissions - ready for release
Status: Closed (fixed) » Reviewed & tested by the community

Hello Robin, just checking in as it's been a while. Would you mind please rolling out an official release? I like using this module for a variety of my sites and client sites and would prefer to not keep juggling the custom patched copy. If by chance you've decided not to maintain this module any further, please let me know and I would be happy to co-maintain.

Thanks!

Robin Monks’s picture

Robin Monks CreditAttribution: Robin Monks commented
Version: 6.x-1.3 » 6.x-1.4
Status: Reviewed & tested by the community » Fixed

AddAnother 6.x-1.4 is now released.

Thanks!
--Robin

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit ba8f07f on 6.x-1.x, 7.x-1.x, 7.x-2.x, master, 8.x-1.x by Robin Monks: 
    Patch #418852 (Keyz)   Patch to improve permissions   1) Adds an "...