On the menu administration page (admin/structure/menu), the link for the block administration page (admin/structure/block) is offered to users without the corresponding privilege.

The code in menu.module (line 40) checks if the block module exists, but not the user access:

if ($path == 'admin/structure/menu' && module_exists('block')) { ... }

Shouldn't this be:

if ($path == 'admin/structure/menu' && module_exists('block') && user_access('administer blocks')) { ... }

Otherwise, users with menu administration permissions but no block administration permissions get a message and link which leads them to an access denied page.

CommentFileSizeAuthor
#18 drupal-blocks-admin-page-link-offered-to-users-with-no-access-18.patch1.38 KBchrisfree
#13 Blocks-administration-page-link-offered-to-users-with-no-access-5.patch825 byteskpun
#6 after-apply-patch.png64.07 KBManjit.Singh
#6 before-apply-patch.png72.14 KBManjit.Singh
#6 after-apply-patch.png64.07 KBManjit.Singh
#6 before-apply-patch.png72.14 KBManjit.Singh
#5 Blocks-administration-page-link-offered-to-users-with-no-access-5.patch1.25 KByogen.prasad
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Version: 7.37 » 7.x-dev

Please see if the issue exists in Drupal 8 according to the backport policy. Move this issue to 8.x if it applies.

tpicado’s picture

tpicado CreditAttribution: tpicado commented

Thank you for the tip. It seems the same issue indeed exists in Drupal 8: a link to the "Block layout page" is still offered to a user without the 'Administer blocks' permission.

I believe this is now in line 52 of 'menu_ui.module':

elseif ($route_name == 'entity.menu.collection' && \Drupal::moduleHandler()->moduleExists('block')) {

Thanks!

tpicado’s picture

tpicado CreditAttribution: tpicado commented
Version: 7.x-dev » 8.0.x-dev
Component: menu.module » menu_ui.module
yogen.prasad’s picture

yogen.prasad CreditAttribution: yogen.prasad commented
Assigned: Unassigned » yogen.prasad
yogen.prasad’s picture

yogen.prasad CreditAttribution: yogen.prasad commented
Status: Active » Needs review
FileSize
Blocks-administration-page-link-offered-to-users-with-no-access-5.patch1.25 KB
Manjit.Singh’s picture

Manjit.Singh
Primary language Hindi
Location Chandigarh
CreditAttribution: Manjit.Singh at Srijan | A Material+ Company commented
Assigned: yogen.prasad » Unassigned
Status: Needs review » Reviewed & tested by the community
Issue tags: +SrijanSprintNight
FileSize
before-apply-patch.png72.14 KB
after-apply-patch.png64.07 KB
before-apply-patch.png72.14 KB
after-apply-patch.png64.07 KB

Worked as expectation :)

Steps i have followed:

1. I have created a new User.
2. created a new role (say editor).
3. Give that user an editor role.
4. Set their permission only for Administer menus and menu items.
5. Checked admin/structure/menu page with new user.

attaching before and after screenshots.

Before

alt

After

alt

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Version: 8.0.x-dev » 7.x-dev
Status: Reviewed & tested by the community » Fixed

We sometimes offer links where the user has no access but in this case it is the entire point of the text so not displaying makes sense.

Committed 7159e9c and pushed to 8.0.x. Thanks!

  • alexpott committed 7159e9c on 8.0.x 
    Issue #2495209 by yogen.prasad, Manjit.Singh: 'Blocks administration...
David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein as a volunteer commented
Status: Fixed » Patch (to be ported)
kpun’s picture

kpun CreditAttribution: kpun as a volunteer commented

I am working on the backport.

kpun’s picture

kpun CreditAttribution: kpun as a volunteer and commented
Assigned: Unassigned » kpun
kpun’s picture

kpun CreditAttribution: kpun as a volunteer and commented
kpun’s picture

kpun CreditAttribution: kpun as a volunteer and commented
Component: menu_ui.module » menu.module
Status: Patch (to be ported) » Needs review
FileSize
Blocks-administration-page-link-offered-to-users-with-no-access-5.patch825 bytes

I have backported the patch

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett at Acquia commented
Issue tags: +Needs backport to D7 
+++ b/modules/menu/menu.module
@@ -37,7 +37,7 @@ function menu_help($path, $arg) {
     case 'admin/structure/menu/add':
       return '<p>' . t('You can enable the newly-created block for this menu on the <a href="@blocks">Blocks administration page</a>.', array('@blocks' => url('admin/structure/block'))) . '</p>';

The D8 patch also fixes this bit of text, since it also links to admin/structure/block.

kpun’s picture

kpun CreditAttribution: kpun as a volunteer and commented
Status: Needs review » Fixed
cilefen’s picture

cilefen CreditAttribution: cilefen commented
Status: Fixed » Needs work

I think you did that by accident?

kpun’s picture

kpun CreditAttribution: kpun as a volunteer and commented

it was by mistake

chrisfree’s picture

chrisfree CreditAttribution: chrisfree at Chromatic commented
FileSize
drupal-blocks-admin-page-link-offered-to-users-with-no-access-18.patch1.38 KB

Here's a new patch that addresses the diff between the D8 changes and that in the last patch.

chrisfree’s picture

chrisfree CreditAttribution: chrisfree at Chromatic commented
Status: Needs work » Needs review

  • alexpott committed 7159e9c on 8.1.x 
    Issue #2495209 by yogen.prasad, Manjit.Singh: 'Blocks administration...

  • alexpott committed 7159e9c on 8.3.x 
    Issue #2495209 by yogen.prasad, Manjit.Singh: 'Blocks administration...

  • alexpott committed 7159e9c on 8.3.x 
    Issue #2495209 by yogen.prasad, Manjit.Singh: 'Blocks administration...

  • alexpott committed 7159e9c on 8.4.x 
    Issue #2495209 by yogen.prasad, Manjit.Singh: 'Blocks administration...

  • alexpott committed 7159e9c on 8.4.x 
    Issue #2495209 by yogen.prasad, Manjit.Singh: 'Blocks administration...