The access administration pages is neatly used only for /admin/structure, /admin/config, all the sub-categories under /admin/config (i.e. /admin/config/media) and the help pages, but not any actual admin pages (i.e. /admin/structure/types or /admin/config/media/image-styles as those require dedicated permissions. Basically it's your entry into the whole admin area (as in /admin/config) but doesn't let do you actually do anything on its own. This allows to set up permissions in a way that gives access to /admin/config to someone that is less privileged and shouldn't be able to completely break the site, but maybe only configure image styles.
... except that then they can also rebuild node access ?! They will generally not be aware of this, because the link to do this is only on the status report, but they can still visit /admin/reports/status/rebuild in their browser and it will work. Since rebuilding node access is not a destructive operation and also since the access administration pages has the title Use the administration pages and help (emphasis mine) I don't think this is a security issue. However, on large sites rebuilding node access can be a heavy operation and you really might want to have more control over who is able to do this.
Add a dedicated permission for this and add an upgrade path that grants this permission to every role that has the access administration pages permission.
Postponed: needs info
11.0 🔥
user interface text
A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.
To track issues in the developing policy for closing stale issues, [Policy, no patch] closing older issues
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
No activities found.