Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
An authenticated user with the permission 'Administer vocabularies and terms' only, is able to do whatever he/she wants.
Permissions like 'Edit terms in Tags' or 'Delete terms from Tags' are not taken into account: either they are set or not, the user is able to edit or delete terms, even(!) delete the whole vocabulary.
Please fix.
Comment | File | Size | Author |
---|---|---|---|
#19 | 1038330-19-taxonomy-vocab-perms.patch | 2.2 KB | Manuel Garcia |
Comments
Comment #1
BerdirI think this is by design.
Administer *something* permissions in Drupal usually allow to do everything. If you want to only give specific permissions, only grant those.
This might be a feature request instead, what exactly do you want your users allow to do?
Comment #2
catchThis is by design, the permission acts the same as the 'administer content types' permission (to the extent that it's possible given that node and taxonomy are a bit different).
Comment #3
Csabbencs CreditAttribution: Csabbencs commentedOk, I understand your point that it could be a design question.
But if you revoke 'Administer vocabularies and terms' then the user can't view the terms even if you give him/her the permissions 'Edit terms in Tags' or 'Delete terms from Tags'.
So, to summarize:
- 'Administer vocabularies and terms' -> user can do everything if set, nothing if not set
- 'Edit terms in Tags' or 'Delete terms from Tags' -> does not matter if they are set or not, they don't affect anything (=these lines could be deleted from permissions).
So something is not quite ok here...
Comment #4
catchThrere is an edit tab on all taxonomy/term/n pages, controlled by those permissions, the delete button is on that page (again consistent with nodes/users).
Comment #5
Csabbencs CreditAttribution: Csabbencs commentedI debugged the code: the reason I couldn't edit without setting 'Administer vocabularies and terms' was that I came from the admin pages to check taxonomy terms and got access denied.
The only path for which 'Edit terms in Tags' works is taxonomy/term/n pages, like you wrote.
My opinion is that when 'Administer vocabularies and terms' is not set, but 'Edit terms in Tags' is set, path such as admin/structure/taxonomy/vocabulary should be usable, too.
Comment #6
Csabbencs CreditAttribution: Csabbencs commentedComment #7
catchLet's have this as a task, granular access to specific features of pages in /admin isn't something we have much of in core, but I'd like to see more of it. Also someone else posted an issue in another thread where they'd been confused by how these permissions work, so there's clearly a usability or at least expectations issue here.
Comment #8
joelstein CreditAttribution: joelstein commentedWhen I saw those permissions, I thought that the role would be able to see the "list terms" page, re-arrange terms, and add terms.
That is not the case. All the role can do is click the "edit" tab when viewing the term, and delete it on that page.
Here's a discussion of others who were confused by this: http://drupal.org/node/992856.
Usability issue, confirmed. ;)
Comment #9
joelstein CreditAttribution: joelstein commentedDoing what I described in #8 is as simple as the following change to taxonomy.module (in D7):
Since taxonomy_term_edit_access expects to receive an object with a vid property ($term), passing it the vocabulary (as above) works just fine. Of course, we'd probably want to rename taxonomy_term_edit_access to something more inclusive of both vocabularies and taxonomy terms... perhaps taxonomy_edit_access?
For those who need an intermediate solution, place the following in hook_menu_alter inside a custom module:
Comment #10
rickvug CreditAttribution: rickvug commentedSub. The proposal in #9 looks very logical and straightforward. I can't think of a problem with the permission. Does anyone have an objection? It would be great to get this into Drupal 8 and then consider back-porting to D7.
Comment #11
screenage CreditAttribution: screenage commentedsubscribing
Comment #12
JohnnyX CreditAttribution: JohnnyX commentedView/ edit/ delete own terms would be great. User based terms could also be used with access by term as access control for users own content.
Comment #13
ihearttacobell CreditAttribution: ihearttacobell commentedI'd like to see this happen. Subscribing.
Comment #14
David4514 CreditAttribution: David4514 commentedI would like to vote for this too since I just now fell into the same trap. The all or nothing approach currently used does not meet our requirements. I would like to give someone the ability to manage a vocabulary (i.e. add/delete/update terms in a vocabulary) without the ability to administer all vocabularies. I would also like them to not be able to delete the vocabulary they are allowed to manage. They should only be able to manage the terms within the vocabulary.
This would be a great plus.
Comment #15
afmdsouza CreditAttribution: afmdsouza commentedhook_menu_alter() solution at #9 fixes this issue as per #8, +1 for including it in D7 & D8. Thanks joelstein!
Comment #16
bneel CreditAttribution: bneel commentedIdem
hook_menu_alter() solution at #9 fixes this issue as per #8,
+1 for including it in D7 & D8.
Thanks !
Comment #17
thinkact CreditAttribution: thinkact commentedFound this taxonomy_access_fix module implemented the workaround similar to #9 above. It works on Drupal 7.12
Comment #18
kristofferwiklund CreditAttribution: kristofferwiklund commentedGreate module in #17. Does what I needed, without having to do a patch myself.
Comment #19
Manuel Garcia CreditAttribution: Manuel Garcia commentedAn absolute must have for sites with content editor teams.
Find attached a patch implementing what is discussed in #9
I've also added a permission to add terms to a specific vocabulary, so now it should be granular enough.
What works:
Going to
admin/structure/taxonomy/tags
, editing, adding deleting and reordering terms.What doesn't work (and should imho):
Going to
admin/structure/taxonomy
returns access deniedGoing to
admin/structure
displays You do not have any administrative items.Ideally going to
admin/structure/taxonomy
should list the vocabularies to which you have access.Comment #20
dddbbb CreditAttribution: dddbbb commentedI'm also pretty confused by the default permissions handling/UX. I'd love to see this straightened out in core too.
Thanks for the link to http://drupal.org/project/taxonomy_access_fix - that'll do nicely as a short term solution.
Further reading for anyone interested in seeing this fixed in Drupal 8: http://drupal.org/node/1848686
Comment #21
anouPatch #19 no longer apply to D7.22
Comment #22
klonosThe patch in #19 is meant for D8 (applies to /core/modules/taxonomy/taxonomy.module). AFAICT there never was a patch for D7 in this issue.
Comment #23
anouAutant pour moi. I misunderstood. Thanks for the precision. And not to mention that I finally used the taxonomy_access_fix module after trying do modify, without success, the patch to apply on D7 :-)
Comment #26
realityloopComment #27
realityloopComment #29
BerdirI posted a detailed overview of all related issues that we have around this topic in #1848686-179: Add a dedicated permission to access the term overview page (without 'administer taxonomy' permission) (#179 if the link does not work).
As suggested there, I'm closing this issue as a duplicate of that issue as this only has a very old patch that is no longer relevant.