I have a menu that is only visible to authenticated users but shows up on the site map for anonymous users. Of course if they click a link they are asked to login or register but I would rather they didn't see the menu contents at all.

Comments

hass’s picture

hass CreditAttribution: hass commented
Category: feature » bug
Priority: Normal » Critical

Sound like a security bug

Mike Dodd’s picture

Mike Dodd CreditAttribution: Mike Dodd commented
Status: Active » Fixed

This is not really a bug.

I am not sure which method or additional modules you have used to "restrict access to this menu" but whichever method you used there is a very simple fix. In the sitemap settings page you can select which menus are displayed in the site map, simply remove the menu from this list and it will not be included in the sitemap.

Hope this helps

mdcockfi’s picture

mdcockfi CreditAttribution: mdcockfi commented

I'm not sure I agree with your assessment. The menu is in a block with "Show block for specific roles" set to authenticated user (core permission functionality); I would expect that since this menu is not visible to anonymous users that if an anonymous user looks at the sitemap that this menu would not be included. I can see in the code where the sitemap is being constructed unconditionally from the entries specified in the setting's page list; and, have spent a fair bit of time trying to figure out how to determine an entries visibility. If memory serves the Drupal 5 version was doing just that, but the Drupal 6 menu architecture does not lend itself...or at least it was not obvious to me.

hass’s picture

hass CreditAttribution: hass commented

This is access bypass. Menus not shown to the public must be hidden in sitemap to anonymous users. There could be an url with authentication information.

frjo’s picture

frjo CreditAttribution: frjo commented
Title: Only include menu if visible » Site map should respect the "Show block for specific roles" settings for menus
Version: 6.x-1.2 » 6.x-2.x-dev
Category: bug » feature
Priority: Critical » Normal
Status: Fixed » Active

I changed the title to what I believe this issue is about.

Site map makes use of the function menu_tree_all_data() from the menu module and that makes all the normal access checks. On the Site map users will only see the menu item they have access to, just as anywhere else.

I therefor see it as a feature request that Site map should respect the "Show block for specific roles" settings for menus. I can understand the logic behind it.

If you want this feature please submit a patch for testing. If most users support it I would commit it.

mdcockfi’s picture

mdcockfi CreditAttribution: mdcockfi commented

Well it would seem I am missing something obvious here. I have content that is only accessible to authenticated users. The content is available via a menu, and I see no "visibility" options on menus. The menu is in a block that is only "shown" to authenticated users, and in fact anonymous users have no idea it exists. However, when an anonymous user accesses the sitemap the invisible content is listed. If they then click one of the links they are told they do not have access...effectively showing them a plate of cookies and then smacking their knuckles when they reach for one....

This still strikes me as a disconnect on the correct handling of core accessibility/visibility functionality. If the menu does not display because the content is not accessible, it should not be listed in the sitemap...at least to my feeble mind. So either the module, or my understanding, is broken.

But, as the sitemap is functionality we might be able to get by without; I am bringing my participation to the conversation to a close.

All the best.