On the menu administration page (admin/structure/menu), the link for the block administration page (admin/structure/block) is offered to users without the corresponding privilege.
The code in menu.module (line 40) checks if the block module exists, but not the user access:
if ($path == 'admin/structure/menu' && module_exists('block')) { ... }
Shouldn't this be:
if ($path == 'admin/structure/menu' && module_exists('block') && user_access('administer blocks')) { ... }
Otherwise, users with menu administration permissions but no block administration permissions get a message and link which leads them to an access denied page.
Comment | File | Size | Author |
---|---|---|---|
#18 | drupal-blocks-admin-page-link-offered-to-users-with-no-access-18.patch | 1.38 KB | chrisfree |
#13 | Blocks-administration-page-link-offered-to-users-with-no-access-5.patch | 825 bytes | kpun |
#6 | after-apply-patch.png | 64.07 KB | Manjit.Singh |
#6 | before-apply-patch.png | 72.14 KB | Manjit.Singh |
#6 | after-apply-patch.png | 64.07 KB | Manjit.Singh |
Comments
Comment #1
cilefen CreditAttribution: cilefen commentedPlease see if the issue exists in Drupal 8 according to the backport policy. Move this issue to 8.x if it applies.
Comment #2
tpicado CreditAttribution: tpicado commentedThank you for the tip. It seems the same issue indeed exists in Drupal 8: a link to the "Block layout page" is still offered to a user without the 'Administer blocks' permission.
I believe this is now in line 52 of 'menu_ui.module':
elseif ($route_name == 'entity.menu.collection' && \Drupal::moduleHandler()->moduleExists('block')) {
Thanks!
Comment #3
tpicado CreditAttribution: tpicado commentedComment #4
yogen.prasad CreditAttribution: yogen.prasad commentedComment #5
yogen.prasad CreditAttribution: yogen.prasad commentedComment #6
Manjit.SinghWorked as expectation :)
Steps i have followed:
1. I have created a new User.
2. created a new role (say editor).
3. Give that user an editor role.
4. Set their permission only for
Administer menus and menu items
.5. Checked
admin/structure/menu
page with new user.attaching before and after screenshots.
Before
After
Comment #7
alexpottWe sometimes offer links where the user has no access but in this case it is the entire point of the text so not displaying makes sense.
Committed 7159e9c and pushed to 8.0.x. Thanks!
Comment #9
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedComment #10
kpun CreditAttribution: kpun as a volunteer commentedI am working on the backport.
Comment #11
kpun CreditAttribution: kpun as a volunteer and commentedComment #12
kpun CreditAttribution: kpun as a volunteer and commentedComment #13
kpun CreditAttribution: kpun as a volunteer and commentedI have backported the patch
Comment #14
tim.plunkettThe D8 patch also fixes this bit of text, since it also links to admin/structure/block.
Comment #15
kpun CreditAttribution: kpun as a volunteer and commentedComment #16
cilefen CreditAttribution: cilefen commentedI think you did that by accident?
Comment #17
kpun CreditAttribution: kpun as a volunteer and commentedit was by mistake
Comment #18
chrisfree CreditAttribution: chrisfree at Chromatic commentedHere's a new patch that addresses the diff between the D8 changes and that in the last patch.
Comment #19
chrisfree CreditAttribution: chrisfree at Chromatic commented