users with only "administer simplenews subscriptions" permission can't see their admin menu items

Hi,

I think it's a consequence of a hook_menu() rewrite we performed on #827416: options under /admin/by-module are confusing and include duplicate options - let's clean them up!. We're still working on it. Thanks for reminding me there's still something to do, though.
I change the status to "critical" to fix it for the release.

Is it still active?
Same problem here.

You're welcome to propose a patch, I think I have been kind of stuck trying to find a quick and proper solution.

If you grant "administer simplenews subscriptions" and "send newsletter" to a user, but no "administer newsletters", the tab to acces de subscriptions list doesn't appear in "Newsletter Management".

My problem became when I wanted to show to my authenticated users access to subscriptions list, then I realized that the only possible way to do this was also granting access to administer users!!! but of course this is not acceptable since they could change the administrator users settings (not the password though because you need the old one).

Here is my solution:

1- Enable for authenticated user role:
-Use the administration toolbar
-Administer shortcuts
-Administer newsletters
-Administer simplenews subscriptions
-Administer users

At this point you can log in as authenticated user and see:
people->list
people->Newsletter subscriptions
Then you can go to "people->Newsletter subscriptions" and add a shortcut to "Newsletter subscriptions"

2- Disable for authenticated user role:
- Administer newsletters
- Administer users

There we go: Now the authenticated user cannot see/edit the list of users but he can see the subscriptions.

I know this is not exactly solving the problem above, neither is an "in-module solution" but it did solve my problem and maybe others had the same problem reaching this post as I did when I looked for "administer simplenews subscriptions"

Anyway if a further test is needed just tell me (unfortunately I only use this module for listing subscriptors, I wasn't able to send any mail but I don't need it either).

Is someone willing to work on a patch?

Normally we can reach the subscriptions admin page (admin/people/simplenews) by the tabbed link at the users admin page (admin/people). But a user needs 'user admin' rights to have access to the users admin page, this can mean too many privileges in some cases.

Luckily the subscriptions admin page is accessible without 'user admin' rights, so a user only needs 'administer simplenews subscriptions' rights. The great tip of #4 got me thinking, it might be easier to just manually create a shortcut to admin/people/simplenews at admin/config/user-interface/shortcut/.

Not sure I see the problem here. As explained in #6, you can always add a link to that page for users that can't navigate through the existing menus, either as a shortcut or as a normal menu link.

This behavior is pretty much by design.

Without permission to administer users, there is no link to admin/people/simplenews without making a shortcut or something. It would be great to also present a link to admin/people/simplenews at ie. admin/config/services/simplenews.

Exactly there is such a link, in the help text.

> As explained in #6, you can always add a link to that page for users that can't navigate through the existing menus, either as a shortcut or as a normal menu link.

Right, but granting site admins the power to admin subscriptions but not the rest of simplenews is surely a really common use case. And hence it should work out of the box.

This is a really bad breakage of the module. As user 1 you grant this permission to a role, and then tell your users 'you can manage subscriptions now' and they can't see the menu item. You could easily not even realize there's a problem!

The problem is that when making menu tabs, the one that is MENU_DEFAULT_LOCAL_TASK must be a 'dummy' that matches the 'root' path.

As see in examples module:

  // A menu entry with tabs.
  // For tabs we need at least 3 things:
  // 1. A parent MENU_NORMAL_ITEM menu item (menu_example/tabs in this
  //    example.)
  // 2. A primary tab (the one that is active when we land on the base menu).
  //    This tab is of type MENU_DEFAULT_LOCAL_TASK.
  // 3. Some other menu entries for the other tabs, of type MENU_LOCAL_TASK.
  $items['menu_example/tabs'] = array(
    // 'type' => MENU_NORMAL_ITEM,  // Not necessary since this is the default.
    'title' => 'Tabs',
    'description' => 'Shows how to create primary and secondary tabs',
    'page callback' => '_menu_example_menu_page',
    'page arguments' => array(t('This is the "tabs" menu entry.')),
    'access callback' => TRUE,
    'weight' => 30,
  );

  // For the default local task, we need very little configuration, as the
  // callback and other conditions are handled by the parent callback.
  $items['menu_example/tabs/default'] = array(
    'type' => MENU_DEFAULT_LOCAL_TASK,
    'title' => t('Default primary tab'),
    'weight' => 1,
  );

Oh wait, we do have that:

  $items['admin/content/simplenews'] = array(
    'title' => 'Newsletters Management',
    'description' => 'Manage newsletters and subscriptions.',
    'type' => MENU_NORMAL_ITEM,
    'page callback' => 'drupal_get_form',
    'page arguments' => array('simplenews_admin_news'),
    'access callback' => 'simplenews_newsletter_access',
    'file' => 'includes/simplenews.admin.inc',
  );
  $items['admin/content/simplenews/sent'] = array(
    'title' => 'Issues',
    'description' => 'List of newsletter issues.',
    'type' => MENU_DEFAULT_LOCAL_TASK,
    'access callback' => 'user_access',
    'access arguments' => array('administer newsletters'),
    'weight' => -10,
  );

The menu item 'admin/content/simplenews/sent' has no page callback, which is correct, as it's the default.

However, the problem is that its access control differs from the root item!

Here's a patch.

It just removes the access control from the menu item 'admin/content/simplenews/sent'. This is *not* a loosening of access -- users with 'administer simplenews subscriptions' could see this already because of the access with simplenews_newsletter_access() to 'admin/content/simplenews'. (In fact it was all they *could* see, which was the problem).

If the intention is that 'administer simplenews subscriptions' does NOT grant access to 'admin/content/simplenews/sent', then that's another bug.

Hello,

This is a patch for version 6 or version 7 of simplenews? I use simplenews 7 and I do not see where i have to apply the patch.
Do you have a version of the patch for simplenews 7?

Thanks.

This related issue is ready for review and might help with those permissions:
#794180: Add 'administer simplenews categories' permission separate of 'administer newsletters'
Feedback is appreciated.