Active
Project:
Node Table
Version:
6.x-1.0-alpha1
Component:
User interface
Priority:
Major
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
28 Feb 2011 at 04:37 UTC
Updated:
5 Oct 2011 at 04:12 UTC
When I give anonymous users access permission they also get permission to edit & add rows. They cannot edit the body of the node. Perhaps there may need to be a separate set of permissions for row editing. I've messed around with node_access but have been unable to prevent this row level access.
Comments
Comment #1
Patricia_W commentedI resolved this by changing the access arguments in this function:
/**
* Implementation of hook_menu().
*/
function nodetable_menu() {
$items = array();
$items['admin/content/nodetable'] = array(
'title' => 'Node Table',
'page callback' => 'nodetable_overview',
'access arguments' => array('administer tables'),
'description' => 'Manage nodetable nodes.',
);
$items['admin/content/nodetable/list'] = array(
'title' => 'View tables',
'page callback' => 'nodetable_overview',
'access arguments' => array('administer tables'),
'weight' => 0,
'type' => MENU_DEFAULT_LOCAL_TASK,
);
$items['node/%node/add_row'] = array(
'title' => 'Add row',
'page callback' => 'drupal_get_form',
'page arguments' => array('nodetable_row_form', 1),
'access callback' => '_nodetable_custom_access',
'access arguments' => array('edit any table', 1),
'type' => MENU_LOCAL_TASK,
);
$items['node/%node/rows'] = array(
'title' => 'Edit rows',
'page callback' => 'nodetable_edit_rows',
'page arguments' => array(1),
'access callback' => '_nodetable_custom_access',
'access arguments' => array('edit any table', 1),
'type' => MENU_LOCAL_TASK,
);
$items['node/%node/rows/%nodetable_row'] = array(
'page callback' => 'drupal_get_form',
'page arguments' => array('nodetable_row_form', 1, 3),
'access callback' => '_nodetable_custom_access',
'access arguments' => array('edit any table', 1),
'type' => MENU_LOCAL_TASK,
);
$items['node/%node/rows/%nodetable_row/remove'] = array(
'title' => 'Delete',
'page callback' => 'drupal_get_form',
'page arguments' => array('nodetable_remove_row_confirm', 1, 3),
'access callback' => '_nodetable_custom_access',
'access arguments' => array('edit any table', 1),
'type' => MENU_CALLBACK,
);
$items['node/%node/rows/%nodetable_row/cell/%/remove'] = array(
'title' => 'Delete',
'page callback' => 'drupal_get_form',
'page arguments' => array('nodetable_remove_cell_confirm', 3, 5),
'access callback' => '_nodetable_custom_access',
'access arguments' => array('edit any table', 1),
'type' => MENU_CALLBACK,
);
$items['nodetable/js'] = array(
'page callback' => 'nodetable_cell_js',
'access arguments' => array('access content'), // TODO
'type' => MENU_CALLBACK,
);
return $items;
}
I also noticed that there appeared to be a mismatch between names of permissions and this function:
/*
* Implementation of hook_access().
*/
function nodetable_access($op, $node, $account) {
switch ($op) {
case 'view':
return user_access('access tables', $account);
case 'edit':
return (user_access('edit any table content', $account) || (user_access('edit own table content', $account) && ($account->uid == $node->uid)));
case 'delete':
return (user_access('delete any table content', $account) || (user_access('delete own table content', $account) && ($account->uid == $node->uid)));
default:
return FALSE;
}
}
Which I rewrote as (although I don't think it mattered because this code did not appear to be used.
/*
* Implementation of hook_access().
*/
function nodetable_access($op, $node, $account) {
switch ($op) {
case 'view':
return user_access('access tables', $account);
case 'update':
return (user_access('edit any table', $account) || (user_access('edit own table', $account) && ($account->uid == $node->uid)));
case 'delete':
return (user_access('delete any tables', $account) || (user_access('delete own tables', $account) && ($account->uid == $node->uid)));
default:
return FALSE;
}
}
Comment #2
beckyjohnson commentedCan you roll this into a real patch?