The Drupal 6 version of the module doesn't appear to cross reference the incoming permissions with the permissions that exist on the site being imported into. For example, if an export were done on a dev machine with the Devel module enabled, the permissions for the Devel module could get imported onto the live site, even if the Devel module were not installed. I've created a small patch that weeds out any permissions that are not applicable to the modules on the site being imported into.

Incidentally, it looks like the Drupal 7 version of the module does already cross reference, similar to how this patch works.

CommentFileSizeAuthor
#5 secure_permissions.module.patch831 bytesMatt V.
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

agentrickard’s picture

agentrickard
he/him
Primary language English
Location Georgia (US)
CreditAttribution: agentrickard commented
Project: Permissions API » Secure Permissions
Version: 6.x-2.7 » 6.x-1.0

The patch might need to go against the Permissions API for D6, actually, since this is a D7 core feature. Permissions API handles the backport of that functionality.

I doubt that the D7 cross-reference is to the credit of this module. It's probably from the core API handling, which is now checking the module the permission belongs to.

But if you are exporting permissions to code, making sure they are correct is your job, not the module's. Right? Enabling a permission for a module that doesn't exist (or is disabled) should have no effect.

So I think this is an API feature, not really a bug....

agentrickard’s picture

agentrickard
he/him
Primary language English
Location Georgia (US)
CreditAttribution: agentrickard commented
Project: Secure Permissions » Permissions API
Version: 6.x-1.0 » 6.x-2.7
Category: bug » feature

See http://api.drupal.org/api/function/user_role_grant_permissions/7 for the change.

Not sure this is possible in D6.

ebeyrent’s picture

ebeyrent CreditAttribution: ebeyrent commented
Project: Secure Permissions » Permissions API
Version: 6.x-1.0 » 6.x-2.7
Assigned: Unassigned » ebeyrent

I agree that this is a feature request. It's really up to developers to make sure that staging code is called in the correct order, just like you can't import content types that reference CCK widgets that haven't been enabled.

Are errors or warnings being displayed when you try to set permissions that don't exist? If not, what's the desired outcome? Is this really even needed?

I'd love some more feedback from the community on this issue before I implement something.

agentrickard’s picture

agentrickard
he/him
Primary language English
Location Georgia (US)
CreditAttribution: agentrickard commented

Well, this is a feature that simply doesn't exist in D6. (I helped write the D7 patch.)

In D7, we check what module the permission belongs to, and store that so that permissions can be deleted when a module is uninstalled. This also means that you cannot add a disabled module's permissions using user_role_grant_permissions().

In D7, however, this is a more draconian approach to permissions (especially inheriting permission from other modules, like 'access content') that introduces module dependencies that are not a consideration to D6 module developers.

So since this doesn't harm anything, I'd be tempted to leave it alone in the D6 version.

Matt V.’s picture

Matt V. CreditAttribution: Matt V. commented
FileSize
secure_permissions.module.patch831 bytes

Sorry, it seems the patch I intended to attach was stripped somewhere between previewing and submitting the issue. Here's the patch for the Secure Permissions module that seems to address the issue.

Based on the original code, I got the idea that this might have just been an oversight because the secure_permissions_build_permissions function was already loading the available permissions into $permissions, but the function then does nothing with that variable. If you compare the secure_permissions_build_permissions function between DRUPAL-7--1-3 and DRUPAL-6--1-0, you'll see what I mean.

ebeyrent’s picture

ebeyrent CreditAttribution: ebeyrent commented

Sounds like this needs to be moved over to the other project issue queue.

agentrickard’s picture

agentrickard
he/him
Primary language English
Location Georgia (US)
CreditAttribution: agentrickard commented

Possibly. I think the question is, should permissions_grant_permissions() do the filtering, or should the caller.

ebeyrent’s picture

ebeyrent CreditAttribution: ebeyrent commented

It's my opinion that the caller should do the filtering. In D6, I have no way of knowing with 100% accuracy what module each permission belongs to. Two modules can define the same permission string; as such, I can't reliably do any filtering. This may be a rather weak argument though. :)

agentrickard’s picture

agentrickard
he/him
Primary language English
Location Georgia (US)
CreditAttribution: agentrickard commented

You could filter on $permissions = array_values(module_invoke_all('perm')); with the array_intersect(), like this patch does.

Otherwise, feel free to throw this back in my queue.

ebeyrent’s picture

ebeyrent CreditAttribution: ebeyrent commented
Status: Needs review » Fixed

Thanks Matt V. and agentrickard for the patch and discussion - I have fixed this in the latest commit.

http://drupal.org/cvs?commit=368434

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.