We noticed currently that Drupal user 1 is not allowed to bypass hide_submit functionality.

Please find attached the patch.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

sorinb created an issue. See original summary.

sorinb’s picture

FileSize
477 bytes
sumthief’s picture

Hello @sorinb,

Looks like it's a bug. In current situation user with uid = 1 have no possibility to use Hide submit`s functional.

But this patch is not a good idea. As user_access function will return TRUE to all arguments passed when we try to invoke it when we logged in under user with uid=1.

Looks like it should be done via separate setting in admin form. Something like that: "Disable Hide Submit`s functional for the super-admin account". (And the condition will have a second part related to checking variable value).

sumthief’s picture

Status: Needs review » Needs work
sonamsingh’s picture

Assigned: sorinb » Unassigned
Status: Needs work » Needs review
FileSize
2.72 KB

Hey Sumthief,

I do agree that the configuration for this must be added in the admin settings page but then it won't make much sense if the permission for this hide submit functionality is coming from two places: permissions page (using bypass hide submit) and from admin settings page for users with administrator role. So, I suggest a consolidation of these settings will be better. So, here's a patch which considers all these cases.

sumthief’s picture

Hello @sonamsingh,

I agree that your variant looks better.
I've reviewed your patch and at first look it seems good. The only thing which is a bit strange for me:

$hide_submit_roles = array_filter(variable_get('hide_submit_for_roles', array()));

It's not obvious for me why we need to filter roles came from variable.

perennial.sky’s picture

Hi Sumthief,

I think it is required to use array_filter while getting data from variable as I saw the configuration form, Whenever user saves the form, hide_submit_for_roles variable will have data in the following format

array(
  '4' => '<some Value>',
  '5' => '0',
  '6' => '0',
  '7' => '<some Value>',
)

In Above array, hide submit is applicable for rid 4 and 7 so to remove 0 from array she uses array_filter.

sumthief’s picture

Hello @akashjain132,

How it's possible? Attached patch provides user_roles function as source for options in configuration form. It means that role identifiers (rids) will be stored in provided variable.
Reserved constants for base Drupal roles are DRUPAL_ANONYMOUS_RID (1) and DRUPAL_AUTHENTICATED_RID (2).
As I know it's impossible to have rid equal to 0.
So for me it looks like unnecessary function invocation. But maybe I am wrong.

perennial.sky’s picture

FileSize
42.28 KB
46.21 KB

Hi Sumthief,

It seems some misunderstanding, I was saying that options are creating by user_roles() function which give a below array

User Options

but when user save the form, variable saves array in below format

Saved User Options

it means user checked only options 3 and 6 so to get only checked rid by a user we need to filter array to remove 0s and that why she is using array_filter.

Above is my understanding Please let me know if I am wrong.

CRZDEV’s picture

Here goes a simpler patch and it does not require to use additional config, just uses the existing "bypass hide submit" access (it already can be granted to roles by default into "/admin/people/permissions").

Also this won't require any manual configuration (after updating sites) to configure permission to each role but in module config variable (as previous patch requires, it won't preserve any previous configuration, there was no update added to map current access solution to variable).

CRZDEV’s picture

Title: Invalid permission to bypass for user 1 » Invalid permission bypass for super user

Just adjusting title.

omarlopesino’s picture

Status: Needs review » Reviewed & tested by the community

Patch #10 works fine. Marking as RTBC.