From 2e235b51529b76c93930d1d2c84170d7d3064ba6 Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Sun, 2 Nov 2014 23:49:26 -0500
Subject: Issue #849624 by brad.bulger, dcam, Alan Evans, oriol_e9g, Stevel |
 tsvenson: Fixed wrong permission for admin/structure/menu/parents.

---
 modules/menu/menu.module |  2 +-
 modules/menu/menu.test   | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

(limited to 'modules/menu')

diff --git a/modules/menu/menu.module b/modules/menu/menu.module
index 644479122..dc8f015dc 100644
--- a/modules/menu/menu.module
+++ b/modules/menu/menu.module
@@ -69,7 +69,7 @@ function menu_menu() {
     'title' => 'Parent menu items',
     'page callback' => 'menu_parent_options_js',
     'type' => MENU_CALLBACK,
-    'access arguments' => array(TRUE),
+    'access arguments' => array('administer menu'),
   );
   $items['admin/structure/menu/list'] = array(
     'title' => 'List menus',
diff --git a/modules/menu/menu.test b/modules/menu/menu.test
index 95e0ee9ea..a9bdb5f27 100644
--- a/modules/menu/menu.test
+++ b/modules/menu/menu.test
@@ -513,6 +513,23 @@ class MenuTestCase extends DrupalWebTestCase {
     }
   }
 
+  /**
+   * Test administrative users other than user 1 can access the menu parents AJAX callback.
+   */
+  public function testMenuParentsJsAccess() {
+    $admin = $this->drupalCreateUser(array('administer menu'));
+    $this->drupalLogin($admin);
+    // Just check access to the callback overall, the POST data is irrelevant.
+    $this->drupalGetAJAX('admin/structure/menu/parents');
+    $this->assertResponse(200);
+
+    // Do standard user tests.
+    // Login the user.
+    $this->drupalLogin($this->std_user);
+    $this->drupalGetAJAX('admin/structure/menu/parents');
+    $this->assertResponse(403);
+  }
+
   /**
    * Get standard menu link.
    */
-- 
cgit v1.2.3