Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
It is a rendering issue of admin/user/access.
When a permission string s1 is a subset of another permission string s2,
before rendering of admin/user/access, if the permission s1 is on then,
s2 appears on the page to be on even if it is in reality off.
you can recreate the issue by having 2 permissions:
publish *all* content and
unpublish *all* content
the patch attached fixes this border case scenario.
5.x-dev is affect, patch attached as d5_fix_permissions_on_amdin_access.patch.txt
7.x-dev is not affected.
Comment | File | Size | Author |
---|---|---|---|
d6_fix_permissions_on_amdin_access.patch.txt | 1.16 KB | malaussene | |
d5_fix_permissions_on_amdin_access.patch.txt | 1.14 KB | malaussene |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedCan someone test if this still an issue in D6? It does seem like a security concern.