engram-design
commented
2 years ago So there are some "smarts" (which I'm likely going to take out) when a plugin gets installed, or the CP nav is otherwise changed, in that CP nav will try and insert that. But there's no checks if the current user has access to that nav item, which arguably, it really should include. I'd say that's an issue with this one.
You can see this in action https://github.com/verbb/cp-nav/blob/37d71db5c5a1c9c8347d6e082588e4ca3ea46d12/src/services/Service.php#L130-L162 and the clearly labelled saveNavigationToAllLayouts() function is adding it to all layouts. Just needs some additional checks here for permissions.
However, we probably also need checks elsewhere when rendering the navigation, because while some users for a layout might have permission, the CP nav needs to be rendered in the context of the current user. I should be doing that here - https://github.com/verbb/cp-nav/blob/37d71db5c5a1c9c8347d6e082588e4ca3ea46d12/src/models/Navigation.php#L180
darylknight
Description Having an odd one here. With no additional changes to CP Nav, Retour is showing for users that shouldn't have access to it at all.
Default Settings:
Only one layout:
We have a user group who have control panel access and no other settings (they're in a group who needs to review pages on the front end behind a login wall, but shouldn't be able to edit anything. Because of the multi-site setup, they can't login at all if I don't give them control panel access)
When a user from that group logs in, this is what they see:
Related: https://github.com/nystudio107/craft-retour/issues/220
Additional info