Menu items not hidden when user has no permission

Hi there - just following up on this. I'm unable to reproduce this with the current version of navbar. Could it be that the problem is resolved? If not, please let me know the permissions that you do have on your test user so that I can reproduce.

n/a

I can confirm this as well. I am seeing menu items appear even though the role does not have permission.

In this case my permissions are as follows:

Content Author Role:

• Use administration navbar
• Use the administration pages and help
• View the administration theme
• Access My Workbench (This is what I want to see)
• Revisioning
• - Basic Page
• - Article
• Node
• - Edit/Add Basic Pages and Articles

Notice that there isn’t any permission for tasks under structure or configuration. These appear when I grant it the use administration pages and help

This is happening because Both Structure and Configuration menu items have the array(‘access administration pages’); as its access arguments. So it will always appear regardless if any of the subsections are accessible or not.

System.module

// Line 587
  // Menu items that are basically just menu blocks.
  $items['admin/structure'] = array(
    'title' => 'Structure',
    'description' => 'Administer blocks, content types, menus, etc.',
    'position' => 'right',
    'weight' => -8,
    'page callback' => 'system_admin_menu_block_page',
    'access arguments' => array('access administration pages'), <- This is visible because of this permission
    'file' => 'system.admin.inc',
  );

// Line 697
  // Configuration.
  $items['admin/config'] = array(
    'title' => 'Configuration',
    'description' => 'Administer settings.',
    'page callback' => 'system_admin_config_page',
    'access arguments' => array('access administration pages'), <-This is visible because of this permission
    'file' => 'system.admin.inc',
  );

I understand that this is a major core structural change so it doesn't make sense to change this. However, In the Drupal 7 Toolbar I was able to render My Workbench with use administration pages and help disabled. Is it possible to duplicate this with the navbar module? (see screen shots)

I'm just encountering the same issue. Want to use Navbar for clients to access their version of "admin" pages which are mainly views I put in management menu. I then turn off permission to access other admin functions. The problem is that to use Navbar I've got to have "use admin pages" on AND even when I turn off permissions for them to access real admin functions the menu items "configuration" and "structure" show up. Of course all of their sub items fail if clicked, as expected.

Really was expecting to be able to use Navbar for them as it offers great functionality for managing their tasks from tablets and phones, but having configuration and structure tabs show up will only confuse them.

I'll try moving those two items lower in the management menu chain as a workaround as then only I am inconvenienced with them not being where expected.

Edit:
So I can confirm moving "configuration" and "structure" under "appearance" (or modules, etc.) solves the case for using this for my clients at the expense of slight confusion for full admin (me).

partdigital has a good idea here. I took a look at toolbar module and at navbar module and how they handle generating the menu tree. They start with very similar functionality in navbar_get_menu_tree() and toolbar_get_menu_tree(). Toolbar utilizes the menu_build_tree method whereas navbar utilizes menu_tree_all_data. If I am reading it correctly, menu_tree_all_data() will return a cached version of the menu tree if it has been previously called for the same link id, language and depth. It does call menu_build_tree when it isn't found in the cache which in turn checks the permissions. If the tree is found in the cache, however, that means that permissions aren't checked on the result.

I think that's probably the culprit here in that a cached version of the menu can be returned with links shown to users who don't have permissions to those links. Drupal security prevents any unauthorized access, but navbar should be using the non-cached versions to ensure proper display (like toolbar does). I'm playing with a patch to do that and would love to get some eyes checking it in your various scenarios for those who have experienced problems here. There may be more happening here with the various permissions that we need to address - but I think this will be a good first step.

Here's an attempt that utilizes the same approach as the toolbar module. This also removes the need for "use the administration pages and help" which fixes the scenario provided regarding workbench. Please test and report back how these work on your various sites and permissions setups.

This looks like it will bring up an already fixed issue with the extra menu link can break the navbar. Looks like a rollback of my old patch...

@hass I looked back in the history of this section of the code and it was always using the menu_tree_all_data() function and therefore never checked access properly.
I'm assuming you are referring to this issue: https://www.drupal.org/node/2313813

You do make a good point to ensure that this doesn't go backwards regarding the extra top-level menu link. I'll run it through some further tests and see if the logic you added then still applies given how things are returned now.

Yep, #2313813: Creating a top-level menu link under Management menu breaks the toolbar.

@hass this is no longer a problem in the new patch from what I can tell because we are no longer utilizing the 'below' functionality. I have set up a test using the scenario presented in #2313813 and the navbar continues to function as expected.

Are you seeing something different?

Patch in #6 worked for me, thanks!

Looks like #2313813: Creating a top-level menu link under Management menu breaks the toolbar does not happen again with this patch.

I'm not seeing any significant change with this patch with 7.x-1.6+6-dev. The expected behaviour is that by using the config_perms module that the Configuration menu should not appear since the role has no items they can select under it.

Traditionally, using the admin_menu module with config_perms, the Configuration menu is hidden but if I use Navbar, the Configuration menu is back. This prevents me from effectively using the Navbar module unfortunately but will watch this forum for updates to fix this.

Hmm... I just tried the patch in #6 as well on my site, but I don't see any difference. I cleared caches twice. It still shows top level links that it shouldn't like Structure and Configuration.

Actually, the patch in #6 might be working. I will need to do some more testing.

Before the patch I had a permission "Access the content overview page - Get an overview of all content." enabled for a role, but it wasn't showing the Menu>Content link. You could still go to admin/content directly though.

After the patch, the Menu>Content link shows correctly in the navbar for that role.

Sorry, I should have read the comment in #6 better.

Before the patch in #6
I had "Use the administration pages and help" enabled for a role which was showing a lot of links like Structure and Configuration that the user didn't have any access to. If I disable that permission, then the user doesn't see the correct links in the navbar either. Structure, Configuration are correctly removed, but "My Workbench", Content, and Files links in the navbar are missing.

After the patch in #6
I had "Use the administration pages and help" enabled for a role which was still showing a lot of links Structure and Configuration that the user didn't have any access to. I assumed the "Use the administration pages and help" would simply allow users to access /admin, but when I disabled that permission the user had the correct links shown in the navbar and could still access those pages. The "My Workbench", Content, and Files links also correctly shows in the navbar.

The comment in #3 explains the why Structure and Configuration is showing when the "Use the administration pages and help" permission is enabled.

Hope that helps - back to RTBC

Confirmed #19 notes. Patch works only when "Use the administration pages and help" is disabled. If this is the expected behaviour, then thumbs up and RTBC.