Unwanted permissions to admin panelizer to user role

Created on 29 September 2016, about 8 years ago
Updated 12 August 2024, 4 months ago

Hello. I have updated to panopoly 1.40 and panelizer 3.4. (PHP7, Ubuntu 16.04)

One of my user roles ("editor") has unwanted access to the "Customize display" tab in every node and user page. Clicking on panelizer links is perfectly working and editors can change panelizer settings.

I checked the permissions for panelizer module, but only the administrators have them checked.

Other user roles (such as "authenticated" or others) correctly don't see the tab, and don't have access to the related pages even posting the urls directly.

I think another permission triggers the panelizer abilities for editor role. What can it be?

Thank you very much

🐛 Bug report
Status

Active

Version

3.0

Component

Other module integration

Created by

🇮🇹Italy miromarchi

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇺🇸United States lwalley

    Looks like PanelizerEntityDefault::panelizer_access() calls og_user_access() which will always return TRUE if user has 'administer group' permission.

    The result of the og access check is always appended to panelizer access regardless of the outcome of hook_panelizer_access(), and only one of the access array items needs to be TRUE to grant access.

    So it seems anyone with 'administer group' permission will always completely bypass panelizer permissions for an entity that is a group or a member of a group. If that is the case, it is maybe a bit unexpected. Perhaps special consideration is needed for users with 'administer group' access, one option could be to ignore admin permission e.g.:

    Instead of:

    $og_access = og_user_access($this->entity_type, $entity_id, "administer panelizer og_group $op");
    

    Pass in TRUE for $ignore_admin:

    $og_access = og_user_access($this->entity_type, $entity_id, "administer panelizer og_group $op", NULL, FALSE, TRUE);
    

    References:

    https://git.drupalcode.org/project/panelizer/-/blob/7.x-3.x/plugins/enti...
    https://git.drupalcode.org/project/og/-/blob/7.x-2.x/og.module?ref_type=...

Production build 0.71.5 2024