Contrib.social

Inconsistency of user permissions to manage the menu

Open on Drupal.org โ†’
Created on 29 July 2024, 4 months ago
Updated 1 August 2024, 4 months ago

Problem/Motivation

On a Drupal D10.3 I have the "Micro site", "Micro Node" and "Micro Menu" modules installed and configured.
I have a micro site created with the "test" user as "Site administrator", this way, the "test" user can manage the micro site menu as expected, but if you change the test user to "Site Manager" he will only have permissions to: go to the menu management page (/site/1/menu/site-1), create new links and move the currently present links in the menu.

Steps to reproduce

  1. Install and configure the "Micro site", "Micro Node" and "Micro Menu" modules.
  2. Create a new role, for example "Micro Site Editor".
  3. Create a new user with the role created in the previous step.
  4. Create a micro site.
  5. Add the user previously created with "Site manager".
  6. Visit the page /site/1/menu/site-1.
  7. Create a new link in the menu.
  8. Identify that menu link management options are missing, for example, delete.

Proposed resolution

After analyzing the code, I believe that this is a bug, because, in the file /src/Access/SiteMenuAccess.php on line 77, the role "Site manager" is authorized to access the menu management page.

    ...
    if ($account->hasPermission('administer own micro menu')) {
      // Site administrators and owner can always manage their menu
      if ($account->id() == $site->getOwnerId() || in_array($account->id(), $site->getUsersId(SiteUsers::MICRO_SITE_ADMINISTRATOR))) {
        return AccessResult::allowed()->addCacheableDependency($site)->cachePerPermissions();
      }

      // Site manager can manage the site menu.
      if (in_array($account->id(), $site->getUsersId(SiteUsers::MICRO_SITE_MANAGER)) ) {
        return AccessResult::allowed()->addCacheableDependency($site)->cachePerPermissions();
      }
    }
    ...

But in micro_menu_menu_link_content_access() in line 139 the "Site manager" position is not being allowed access to the menu_link_content.

/**
 * Implements hook_entity_access().
 */
function micro_menu_menu_link_content_access(EntityInterface $entity, $operation, AccountInterface $account) {
  ...
  // Allow the site owner and administrators to administer menu link content attached to the site menu.
  if ($site instanceof SiteInterface && ($site->getOwnerId() == $account->id() || in_array($account->id(), $site->getUsersId(SiteUsers::MICRO_SITE_ADMINISTRATOR)))) {
    return AccessResult::allowed()->addCacheableDependency($entity)->addCacheableDependency($site);
  }

  return AccessResult::neutral();
}

That being said, my proposed resolution is to add verification of the "Site manager" role in micro_menu_menu_link_content_access().

Remaining tasks

None.

User interface changes

None.

API changes

None.

Data model changes

None.

๐Ÿ› Bug report
Status

Needs review

Version

1.0

Component

Code

Created by

๐Ÿ‡ต๐Ÿ‡นPortugal lolgm

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024