Role permissions not hiding options in Dashboard

Topics: Administration, General, Writing modules
Jul 23, 2012 at 10:23 AM

Pre-Version 1.5 the permissions options if not allowed caused Dashboard menu items to be hidden. I have a custom module that creates a dashboard menu with numerous sub menu items. No matter what role I create and permissions I set all items are available for selection by any user. Has the way permissions are setup changed? How do I modify my code to no longer show items a user does not have permissions for?

I also see that the core modules (Content, Widgets, Media, Navigation etc.) are also visible to any role a user is assigned to. It only denies permission once clicked. Has this behavour also been changed? I used to be able to hide all Dashboard functionality to a user and only enable what I wanted the user to be able to see. 

Jul 23, 2012 at 6:29 PM

This sounds like a regression. Would you mind filing a bug?

Jul 24, 2012 at 6:30 AM

Bug filed - Issue number: 18861

Jul 29, 2012 at 6:37 PM
Edited Jul 29, 2012 at 6:38 PM

I looked the source code a bit and this seems to be caused by changeset number 6202 in the NavigationManager class.

Here is the change:


!item.Permissions.Any() ||
 item.Permissions.Any(x => authorizationService.TryCheckAccess(x, _orchardServices.WorkContext.CurrentUser, null))) {


was replaced with:


AdminFilter.IsApplied(_urlHelper.RequestContext) ||
item.Permissions.Concat(new [] { Permission.Named("ViewContent") }).Any(x => _authorizationService.TryCheckAccess(x, _orchardServices.WorkContext.CurrentUser, item.Content))) {


This seems to allow all menu items to be shown regardless of the required permissions.  It will show a menu item if the Admin filter has been applied (which I believe is on all admin pages) or if the signed in user has the permissions required to view the menu item or the ViewContent permission.  Most user types will have the ViewContent permission so this seems kinda weird.

Sebastien Ros is the person who made the change, perhaps he can shed some insight on why it was done.  I am very new to Orchard, so there is probably some reason for this code change that I am missing.

I will post this on the bug too.