As part of my full review of weblinks permissions which I did for #2442557: Remove permissions that are now implemented in core node module I noticed two things which we might consider changing:

  1. If user has "administer weblinks" shouldn't this be enough for them to see the links? Currently they also need 'access weblinks' which seems unnecessary. I cannot see any case for allowing a user to be a Weblink Admin but not allowing them to view the main links page.
  2. Blocks are not shown if the user does not have 'access weblinks'. I can see a situation where a site is designed to only show links via blocks. The main links page might be only for admins, but with our current code this is not possible. There are plenty of Block visibility settings available so I do not think we should further restrict the site builders this way.

All the other permisisons seemed to be correct, and now that we've removed the ones provided by core and tidied up the naming and descriptions for many more, the above two things are all that was left in my notes I made during the testing.

CommentFileSizeAuthor
#16 2461723_16.warning_if_no_permission.patch2.77 KBjonathan1055
#12 2461723_12b.warning_if_no_permission.patch1.49 KBjonathan1055
#12 2461723_12a.admin_gives_access_permission.patch2.95 KBjonathan1055
#7 2461723_10.better_block_access.patch9.88 KBjonathan1055
#5 2461723_5.better_block_access.patch7.78 KBjonathan1055
#3 2461723_3.better_block_access.patch3.3 KBjonathan1055
#2 2461723_2.better_block_access.patch2.49 KBjonathan1055
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

GStegemann’s picture

GStegemann CreditAttribution: GStegemann commented
  1. Yes. "administer weblinks" implies 'access weblinks' as well, sure.
  2. OK. We can do so.
jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented
Status: Active » Needs review
FileSize
2461723_2.better_block_access.patch2.49 KB

I decided to do part 2 first. This is something that is limiting Weblinks Blocks use at the moment, and would be very useful to fix. Block content can now be displayed without the use requiring 'access weblinks' permission, as discussed. However, the 'more...' links are only displayed if the user is allowed to follow that link to the full pages. I have added an extra line to the admin config option explaining this. Also fixed one place which produced an 'undefined variable' $content if the user managed to find a url which gives them no main page content.

I am not entirely sure that item (1) is worthwile doing. It does not add any functionality, and only saves the admin user from ticking one checkbox. Anyway, we can discuss that after part (2) becuase the code changes clash.

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented
FileSize
2461723_3.better_block_access.patch3.3 KB

Here's an update to the Blocks automated testing. This is just the new tests, not including the altered code in #2 above, so am expecting this run to fail one test (show block to ordinary user).

Status: Needs review » Needs work

The last submitted patch, 3: 2461723_3.better_block_access.patch, failed testing.

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented
Status: Needs work » Needs review
FileSize
2461723_5.better_block_access.patch7.78 KB

I decided to add a few more tests and hey! I discovered a fault with the number of links shown when the user does not have full weblinks access. The code change I made to avoid adding the 'more' link had the effect of leaving the additional weblink to be shown (the extra one returned because we get limit+1 links in the query). Here's a patch with the new tests and the block code changes from #2, so this will fail one test - showing the number of links as four not three.

Shows the benefit of automated testing! I probably (maybe) would have found this bug in manual testing, and I expect Gerhard would have also, but it's worthwhile getting the machine to do it too.

Status: Needs review » Needs work

The last submitted patch, 5: 2461723_5.better_block_access.patch, failed testing.

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented
Status: Needs work » Needs review
FileSize
2461723_10.better_block_access.patch9.88 KB

Here's a patch with the new tests and the corrected weblinks_blocks code. Simple to fix, in _weblinks_blocks_content() - just reorganise the logic around filling the $items array. Also it's better (and more easily understandable) to only put in the right number rather than put all in then remove the last one.

GStegemann’s picture

GStegemann CreditAttribution: GStegemann commented
Status: Needs review » Reviewed & tested by the community

Yes, looks much better. Thanks. Tested and works.

Shows the benefit of automated testing!

No doubt.

GStegemann’s picture

GStegemann CreditAttribution: GStegemann commented

just reorganise the logic around filling the $items array.

A simple question to fully understand your patch:

+++ b/contribs/weblinks_blocks/weblinks_blocks.module
@@ -163,26 +165,26 @@ function _weblinks_blocks_content($tid = 0, $sort, $limit, $group_id = NULL) {
+    // Add links up to the limit if there is one.
+    if ($limit == 0 || count($items) < $limit) {
+      $items[] = theme('weblinks_block_item', $variables);
     }

How is array $items filled when the amount of links hits the limit? Does it happen in the forearch loop filling array $variables due to this variable definition $variables = $items = array();

  • jonathan1055 committed ac99b0d on 7.x-1.x 
    Issue #2461723 by jonathan1055: Improve block access without permission...
jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented
Status: Reviewed & tested by the community » Needs work

One item is added to the $items array in each of the foreach ($result as $row) loops. If the number of links defined is greater than the limit then the query will have returned one extra. So we use the condition if ($limit == 0 || count($items) < $limit) which will add all links (if there is no limit, ie limit=0) or only add if we currently have fewer than the limit count($items) < $limit). Then the elseif clause will add the 'more' link on the final foreach loop, if we had one more link returned by the query. If the number of links defined is exactly the same as the limit then the last foreach loop will add the final link and there will be no elseif clause to run.

The syntax is $options = $items = array(); I think you mis-read this and thought it had $variables. It is shorthand for 

$variables = array();
$items = array();

I don't particularly like that style, but it was there and I didn't change it. The $variables array is replaced entirely in each loop.

Thanks for testing. Setting to 'needs work' while I work on part (1)

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented
Status: Needs work » Needs review
FileSize
2461723_12a.admin_gives_access_permission.patch2.95 KB
2461723_12b.warning_if_no_permission.patch1.49 KB

For part 1, where 'administer weblinks' should imply or include 'access weblinks' there are several options:

(a) Alter the weblinks .module and .test files to allow 'administer weblinks' as an alternative to 'access weblinks'. This is done in patch 12a attached. It was more work than expected, because it required a separate access callback function. This then required specifying the original default user_access for callback on the other items, because the value is inherited from parent menu levels.

(b) Leave all weblinks access as per now, but give a warning when saving the permissions for, to highlight any roles which have one but not the other. This is in patch 12b.

(c) As for (b) but also automatically change the submitted form, so the the additional permission is always added. I don't think this can be done in hook_form_alter and it might need a separate submit handler, hence I'd like your opinion before I start coding that.

This is the final issue which I would like to sorted before we release 7.x.

GStegemann’s picture

GStegemann CreditAttribution: GStegemann commented

Was not easy to answer.

Solution in patch 12b is a quite good idea, but the UI is not very intuitive. Especially when many modules are installed. So the warning message(s) are displayed on top of the page but you won't see the actual permission settings anymore.

So we should go with (a) and change the description of permission 'access weblinks' explaining that this permission is implicitely included in permission 'administer weblinks'. In case of any complaints we can still implement (b).

Is my proposal OK with you?

This is the final issue which I would like to sorted before we release 7.x.

Yes!

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented

Was not easy to answer.

I agree, it is tricky to decide the best solution. Ideally, I prefer giving a message and letting the user decide, as that is cleaner code-wise, but as you point out, the UI is not very helpful for this, and you either get the message or see the permissions but not both at the same time.

I was also wondering about 'Maintain Web Links Groups' - should we do the same for this? You can't do much maintaining of groups if you cannot see the main pages.

Altering behavior of permissions 'behind the scenes' in the code is not really the best practice, as the administrator then does not see the actual effect of ticking or unticking a permisison. I started to code the 'or edit groups' additional permission and it just seems unnecessarily complicated.

... so I think I am coming to the conclusion that we either give a message(s) or leave it as-is and make no changes at all. Both of those give a clearer view of what the code is doing - and that has to be better for our users' understanding of how they configure the module.

GStegemann’s picture

GStegemann CreditAttribution: GStegemann commented

... so I think I am coming to the conclusion that

I understand. But anyway, we could at least display an informational message that the selected combination of permissions for a role might have unwanted effects. How about this?

And second we can extend the permission descriptions to make this clearer.

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented
FileSize
2461723_16.warning_if_no_permission.patch2.77 KB

Yes, I think the right action is to give warnings and also add to the descriptions. Here's a patch which does this for the both of the higher-level permissions.

GStegemann’s picture

GStegemann CreditAttribution: GStegemann commented
Status: Needs review » Reviewed & tested by the community

Agreed. Tested and works. Thanks.

  • jonathan1055 committed d2d7cae on 7.x-1.x 
    Issue #2461723 by jonathan1055: Givw warning is missing 'access weblinks...
jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented
Status: Reviewed & tested by the community » Fixed

Thank You.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.