I have a site that uses Drupal 4.3.0, I have given authenicated users "maintain books" access but they don't have "access admin pages" access. This used to work well (or nobody complained about it when I was using 4.2.0) until I upgraded.
The problem was that the book.module admin pages appear in the navigation menu for authenicated user and when they clicked on them they'd get an access denied error because they don't have the "access admin pages" right.
I looked through the book.module code and found the following in the book_link function:
if ($type == "system") {
if (user_access("maintain books")) {
menu("node/add/book", t("book page"), "book_page", 0);
menu("admin/node/book", t("books"), "book_admin", 4);
menu("admin/node/book/orphan", t("orphan pages"), "book_admin_orphan", 8);
menu("admin/node/book/help", t("help"), "book_help", 9);
$result = db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 ORDER BY b.weight, n.title");
while ($book = db_fetch_object($result)) {
menu("admin/node/book/$book->nid", t("'%title' book", array("%title" => $book->title)), "book_admin");
}
}
}The problem was that people with "maintain books" gets to see the admin pages for it, so I went and changed the if statement to this and it seems to work fine.
if ((user_access("maintain books")) && (user_access("access administration pages"))) {Now people with maintain books can't see the admin pages for the books, any better solutions or did I do something seriously wrong?
DDEV is the official local development tool of Drupal. And like Drupal, DDEV depends on the support of the open source community.
