Permission "Manage menus Create, update and delete menus" not working

Open on Drupal.org →

Created on 9 August 2024, 9 months ago

Problem/Motivation

I found a problem with the permission "Manage menus Create, update and delete menus" inside a group permissions. Due to this much more users can add menu even though they should not be allowed to.

Steps to reproduce

I have set the permissions so only admin (group internal and external) can create a new menu inside a group ("Add new menu"). But instead every group member with "Manage menu items" permission is able to add new menus to a group.

At least group_content_menu 3.0.2 and 3.0.3 seem to have this issue.

Proposed resolution

Check for correct permission in GroupContentMenuRouteProvider.php. I've included a patch.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

3.0

Component

Code

Created by

🇩🇪Germany tinytina

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @tinytina
Comment 9 months ago →
🇩🇪Germany tinytina
Comment 3 months ago →
🇦🇹Austria mvonfrie
I have the same problem with 3.0.5. My customer wants to have exactly one group menu per group and only admins should be allowed to create/delete groups and their related menus, but group members with specific group roles (group admin, group content manager) should be able to create/edit/delete group menu items.
Comment 3 months ago →
🇺🇸United States mccoolai
Where are you getting this function in your patch?
$this->getManageMenusPermissions()

I don't see it included in your patch or on the 3.0.x codebase:
https://git.drupalcode.org/project/group_content_menu/-/blob/3.0.x/src/R...

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024