- 🇧🇪Belgium dieterholvoet Brussels
Drupal 7 is EOL as of 5 January 2025 and so is the Drupal 7 version of this module. Marking as Closed (won't fix). Feel free to re-open if this issue is still present in any supported version of the module.
Steps to reproduce:
* enable block_access
* create a block
* go to the block configuration page e.g. admin/structure/block/manage/block/XXX/configure
* remember the delta of the block in the URL ('XXX')
* grant the 'delete' operation only to administrator role, so that regular authenticated users are not allowed to delete the block (see screenshot 1)
* go to permissions page, i.e. admin/people/permissions
* grant 'administer blocks' and 'configure all blocks' to role 'authenticated user'
* create a user with role 'authenticated user'
* sign in with this user
* go to the block delete page using the delta : admin/structure/block/manage/block/XXX/delete
Expected result : 403 access denied + no ability to delete the block
Actual result : 200 OK + ability to delete the block (see screenshot 2)
In block_access.module, the 'block delete' URL is defined like this:
define('BLOCK_ACCESS_MENU_DELETE', 'admin/structure/block/delete');
Maybe it should be like this:
define('BLOCK_ACCESS_MENU_DELETE', 'admin/structure/block/manage/%/%/delete');
I will have a closer look later.
Closed: won't fix
1.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Drupal 7 is EOL as of 5 January 2025 and so is the Drupal 7 version of this module. Marking as Closed (won't fix). Feel free to re-open if this issue is still present in any supported version of the module.