Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I have a menu that is only visible to authenticated users but shows up on the site map for anonymous users. Of course if they click a link they are asked to login or register but I would rather they didn't see the menu contents at all.
Comments
Comment #1
hass CreditAttribution: hass commentedSound like a security bug
Comment #2
Mike Dodd CreditAttribution: Mike Dodd commentedThis is not really a bug.
I am not sure which method or additional modules you have used to "restrict access to this menu" but whichever method you used there is a very simple fix. In the sitemap settings page you can select which menus are displayed in the site map, simply remove the menu from this list and it will not be included in the sitemap.
Hope this helps
Comment #3
mdcockfi CreditAttribution: mdcockfi commentedI'm not sure I agree with your assessment. The menu is in a block with "Show block for specific roles" set to authenticated user (core permission functionality); I would expect that since this menu is not visible to anonymous users that if an anonymous user looks at the sitemap that this menu would not be included. I can see in the code where the sitemap is being constructed unconditionally from the entries specified in the setting's page list; and, have spent a fair bit of time trying to figure out how to determine an entries visibility. If memory serves the Drupal 5 version was doing just that, but the Drupal 6 menu architecture does not lend itself...or at least it was not obvious to me.
Comment #4
hass CreditAttribution: hass commentedThis is access bypass. Menus not shown to the public must be hidden in sitemap to anonymous users. There could be an url with authentication information.
Comment #5
frjo CreditAttribution: frjo commentedI changed the title to what I believe this issue is about.
Site map makes use of the function menu_tree_all_data() from the menu module and that makes all the normal access checks. On the Site map users will only see the menu item they have access to, just as anywhere else.
I therefor see it as a feature request that Site map should respect the "Show block for specific roles" settings for menus. I can understand the logic behind it.
If you want this feature please submit a patch for testing. If most users support it I would commit it.
Comment #6
mdcockfi CreditAttribution: mdcockfi commentedWell it would seem I am missing something obvious here. I have content that is only accessible to authenticated users. The content is available via a menu, and I see no "visibility" options on menus. The menu is in a block that is only "shown" to authenticated users, and in fact anonymous users have no idea it exists. However, when an anonymous user accesses the sitemap the invisible content is listed. If they then click one of the links they are told they do not have access...effectively showing them a plate of cookies and then smacking their knuckles when they reach for one....
This still strikes me as a disconnect on the correct handling of core accessibility/visibility functionality. If the menu does not display because the content is not accessible, it should not be listed in the sitemap...at least to my feeble mind. So either the module, or my understanding, is broken.
But, as the sitemap is functionality we might be able to get by without; I am bringing my participation to the conversation to a close.
All the best.