Drupal menu permissions question

Question

I'm creating an admin module for my client that gives them access to some administration functionality concerning their content. I'm starting off by adding some permissions in my module by implementing hook_perm:

function mymodule_perm() 
{
    return array(
        'manage projects',
    );
}

I can then create my menu by adding to the admin section that already exists:

function mymodule_menu() 
{
    $items['admin/projects'] = array(
        'title' => 'Projects',
        'description' => 'Manage your projects.',
        'page callback' => 'manage_projects_overview',
        'access callback' => 'user_access',
        'access arguments' => array('manage projects'),
        'type' => MENU_NORMAL_ITEM,
        'weight' => -100,
    );

    $items['admin/projects/add'] = array(
        'title' => 'Add project',
        'access arguments' => array('manage projects'),
        'page callback' => 'mymodule_projects_add',
        'type' => MENU_NORMAL_ITEM,
        'weight' => 1,
    );

    return $items;
}

This will add a Projects section to the Administration area with an Add project sub section. All good.

The behavior I want is that my client can only see the Projects section when they log in. I've accomplished this by ticking the "manage projects" permission for authenticated users in the permissions section of my module. Now to give my client actual access to the Administration area I also need to tick "access administration pages" under the "system module" in the users permissions section. This works great, when I log in as my client I can only see the Projects section in the Administration area. There is one thing though, In my Navigation menu shown on the left column I can see the following items:

- Administer
   - Projects
   - Content management
   - Site building
   - Site configuration
   - User management

I was expecting only the see Administer and Projects items, not the other ones. When I click e.g. Content Management I get a Content Management titled page with no sub-sections. Same for Site Building, Site Configuration and User Management. What's really odd is that Reports is not being shown which is also a top level Administration section.

Why are these other items, besides my Projects section, being shown and how can I make them stop from appearing if I'm not logged in as an administrator?

Answer 1

I'm not sure exactly why the menu router displays those. But I may be able to help...

Why don't you change your path to something like:

projects/add  
projects/%/edit

This is similar to the node module's menu hook. It may not be exactly what you're looking for but if you don't want these user's having access to admin stuff it could be the right way.

Answer 2

Your problem is that they are allowed to view those pages.

From the system module's hook_menu:

$items['admin/build'] = array(
  'title' => 'Site building',
  'description' => 'Control how your site looks and feels.',
  'position' => 'right',
  'weight' => -10,
  'page callback' => 'system_admin_menu_block_page',
  'access arguments' => array('access administration pages'),
  'file' => 'system.admin.inc',
);

So when you gave them access administration pages you gave them access to the site building section, but not any item in it. A quick way to solve this is to:

• Use hook_menu_alter to change the access settings for those menu items to something they don't have access to. Either make your own perm or use an existing one.
• You could also use your theme to just hide the items.

Answer 3

this problem is for all module's core (example taxonomy, views, etc.)and also for any modules, how is possible to resolve?

exactly how with hook_menu_alter? exactly how with with theme ? other

I only noticed that the permission for page or story haven't this problem; when are activate you can see directly in the menu (isn't necessary enabled access administration pages); which is the difference in this permission?