Hide component menu items that are restricted by access rights

[jjnxpct]

Is your feature request related to a problem? Please describe.

In Joomla 3 component menu items (backend) are hidden when a user has not access rights to that part of the component. In Joomla 4 those menu items are shown in the menu, but when you click on the item (you have no access rights to) you are presented with an error message.

Describe the solution you'd like

When a user does not have access rights to a part of a component the menu item should be hidden.

Additional context

We see this with several extensions we use. I think the way J4 generates the (sub)menu's inside components has changed. It pulls the items from the database and shows them, but there doesn't seem to be a access check on those shown items.

For users that have limited access to parts of an extensions it would be nice to not show them those items instead of giving them an error when they click on it. Does that make sense?

[brianteeman]

You can see that this is not correct by simply logging in to the admin as a user with only manager access

[jjnxpct]

I am not referring to the Joomla admin menu. But to menu items that are used inside of a component. But maybe I am missing something?

For example we have set access rights to parts of the component in AcyMailing an Convert Forms. But the menu items do show up.

[jjnxpct]

I think this might illustrate my issue: When We set access rights to to 'Users' to only access but no rights to create, edit or change status, I would expect this user not to see the menu items 'Groups' and 'Access levels' because when this user clicks on those items Joomla tells them the have no rights to access those parts of the component.

But think this is mostly applicable to extensions that have access right build in for menu items / parts inside the component. AcyMailing has settings to create access to parts of the component to Joomla user groups. This is also true for Convert Forms and probably other extensions as well. But I think those right somehow are added 'outside' the way Joomla creates the submenu's. In J3 a component had to create it's own menu items and was able to hide /show them based on the rights that were set in the component. But in J4 the menu items inside a component are generated in a different way (I was told). So then the extension builder can not influence the showing of menu items based on access rights that are set within the component.

Not sure if I explained this correctly...

[jjnxpct]

I have some screenshots to illustrate my point.

The extension 'Convert Forms' has access rights for the parts of the extension (Forms. Submissions, Campaigns and Addon'). We have set access to only the Submissions for a particular usergroup.

When this users logs in to the backend all 'sections' of the extension are visible in the menu. Bt when the user clicks on'Forms' an access error appears.

The error is correct, because this user has no access. But it would be better if the menu items for that section is not shown to this user.

I think the developer has no way to hide the menu items based on the access rights of the component sections. Because the way Joomla generates those submenu items.

But maybe I am wrong about this and a developer CAN do this? If so, it would be nice to be able to point the developer to documentation about how to do this.

[DavidBoggitt]

There used to be a brilliant extension that did this called Access Manager written by Carsten Engel. However, at some point changes in the Joomla 3 core meant that his approach no longer worked. His site no longer exists as I think he was unwell and stopped developing altogether. Hiding menu items based on access rights would be a fantasic feature to have, for sure.

[jjnxpct]

Menu items that belong to a component are stored in the '#__menu' database table. In this table there is a 'level' field. I tried to change this manually to hide menu items but that does not work. The access is set correctly and when I click on a component menu item without granted access Joomla gives this error:

You don't have permission to access this. Please contact a website administrator if this is incorrect.

This is correct, but changing the level in the database table does not affect the showing of the menu item.

Again, it would be great if component menu items could be hidden from users that have no access to that item. I stead of just showing the error.

This was also not the case in J3 by the way. But in J3 developer could create their own component menu with access rights. In J4 the component menu items are stored in the menu's database table. So it's harder - if not impossible - for a developer to control the showing of those items based on access right.

[jjnxpct]

I have another example: In AcyMailing we can set access rights to parts of the component. In J3 they build their own menu but tin J4 this has changed. An acymailing developer said this:

"But in Joomla 4 the side menu isn't ours, it's defined by Joomla, and we can't remove menu entries on the loading of the page."

So her we also have all menu items shown ins stead of only menu items that have access rights. So it would be good to have developers of components set access (view) rights for the menu items stored in Joomla. Not sure how.

[bembelimen]

"But in Joomla 4 the side menu isn't ours, it's defined by Joomla, and we can't remove menu entries on the loading of the page."

That is not correct, you can add/remove/move menu items on the fly e.g. via a plugin (there is a trigger for it).

[jjnxpct]

Our developer created a system plugin for a custom component to 'tap in' to Joomla's menus to add hide menu items based on their rights. It would be great if Joomla could add this functionality to the core somehow, so we won't need the plugin anymore.

If anyone would like the plugin code we used for this system plugin, please let me know and I will send the code. Unfortunately were are not able to add Joomla code pull requests for this ourselves...

[jjnxpct]

The code we used in the plugin mentioned will also be included in the next release of AcyMailing to hide /show menu items based on the access levels.