It appears that enabling Admin Menu along with certain user permissions exposes menu options that it should not:

Login as "Admin". Create a new user roll "Editor". Assign the following two permissions to that roll:
(1) "Toolbar/Use the administration toolbar"
(2) "User/Administer users"

Create a new user "PineTree". Add PineTree to the Editor Roll. Logout from Admin and into PineTree.
The result is the correct behavior of having a People menu item in the top Toolbar, but no other items.
People allows new users to be added, filtered and edited, but that's all!

Now, logout from PineTree and into Admin. Install and enable the Administration Menu Module and Disable Toolbar Module. Go to Permissions, disable the Toolbar permission for PineTree (if it is still showing), then enable the Access Administration Menu permission for PineTree. Logout from Admin and into PineTree. The following top-level, unauthorized menu item and submenu items will appear in the Admin Menu bar in addition to the People item: "Configuration/People/Account Settings/Manage Fields + Manage Display".

I have tested and reproduced this security-critical bug on 3 separate Drupal installations. These instances do have some modules and configuration in common so there is some potential for a module conflict. I have not tested for the bug on a clean install of Drupal, simply because I do not have any more time to spare right now.

Comments

tguilpain’s picture

Bug reproduced on clean install of drupal-7.21. I'll try to look into it.

tguilpain’s picture

I'm not sure it is a bug anymore. Looking at the permissions biding to menu items in the user.module file, you can see that both admin/config/people/accounts and admin/people are managed by the "administer users" permission. Both are accessible with and without admin_menu. However, without admin_menu the menu link for admin/config/people/accounts is not visible.

So i'd rather say this is a problem coming from the user module and is due to having all those menu items' access managed by the same permssion : "administer users".

SandPond’s picture

Many modules install provide their own permissions options.

One problem with Drupal is that the "Permissions and Rolls" are not "fine-grained" enough to provide necessary flexibility. I wish there were a more comprehensive module for managing permissions.

I do not know what is responsible for the "problem", I just know that the problem needs a solution.

Currently, this issue is prohibiting us from providing "Add User" rights so that our editors can assign contributors. For security reasons, we can not give our editors more rights than they should have.

Thank you sincerely for your quick response to this item. I hope someone can work this out. Good luck!

sun’s picture

Priority: Critical » Normal
Status: Active » Closed (works as designed)

Admin menu exposes exactly the items that are exposed and made accessible by Drupal core and contributed modules.

This is covered by tests.