When I give anonymous users access permission they also get permission to edit & add rows. They cannot edit the body of the node. Perhaps there may need to be a separate set of permissions for row editing. I've messed around with node_access but have been unable to prevent this row level access.

Comments

Patricia_W’s picture

I resolved this by changing the access arguments in this function:

/**
* Implementation of hook_menu().
*/
function nodetable_menu() {
$items = array();

$items['admin/content/nodetable'] = array(
'title' => 'Node Table',
'page callback' => 'nodetable_overview',
'access arguments' => array('administer tables'),
'description' => 'Manage nodetable nodes.',
);

$items['admin/content/nodetable/list'] = array(
'title' => 'View tables',
'page callback' => 'nodetable_overview',
'access arguments' => array('administer tables'),
'weight' => 0,
'type' => MENU_DEFAULT_LOCAL_TASK,
);

$items['node/%node/add_row'] = array(
'title' => 'Add row',
'page callback' => 'drupal_get_form',
'page arguments' => array('nodetable_row_form', 1),
'access callback' => '_nodetable_custom_access',
'access arguments' => array('edit any table', 1),
'type' => MENU_LOCAL_TASK,
);

$items['node/%node/rows'] = array(
'title' => 'Edit rows',
'page callback' => 'nodetable_edit_rows',
'page arguments' => array(1),
'access callback' => '_nodetable_custom_access',
'access arguments' => array('edit any table', 1),
'type' => MENU_LOCAL_TASK,
);

$items['node/%node/rows/%nodetable_row'] = array(
'page callback' => 'drupal_get_form',
'page arguments' => array('nodetable_row_form', 1, 3),
'access callback' => '_nodetable_custom_access',
'access arguments' => array('edit any table', 1),
'type' => MENU_LOCAL_TASK,
);

$items['node/%node/rows/%nodetable_row/remove'] = array(
'title' => 'Delete',
'page callback' => 'drupal_get_form',
'page arguments' => array('nodetable_remove_row_confirm', 1, 3),
'access callback' => '_nodetable_custom_access',
'access arguments' => array('edit any table', 1),
'type' => MENU_CALLBACK,
);

$items['node/%node/rows/%nodetable_row/cell/%/remove'] = array(
'title' => 'Delete',
'page callback' => 'drupal_get_form',
'page arguments' => array('nodetable_remove_cell_confirm', 3, 5),
'access callback' => '_nodetable_custom_access',
'access arguments' => array('edit any table', 1),
'type' => MENU_CALLBACK,
);

$items['nodetable/js'] = array(
'page callback' => 'nodetable_cell_js',
'access arguments' => array('access content'), // TODO
'type' => MENU_CALLBACK,
);
return $items;
}

I also noticed that there appeared to be a mismatch between names of permissions and this function:

/*
* Implementation of hook_access().
*/
function nodetable_access($op, $node, $account) {
switch ($op) {
case 'view':
return user_access('access tables', $account);
case 'edit':
return (user_access('edit any table content', $account) || (user_access('edit own table content', $account) && ($account->uid == $node->uid)));
case 'delete':
return (user_access('delete any table content', $account) || (user_access('delete own table content', $account) && ($account->uid == $node->uid)));
default:
return FALSE;
}
}

Which I rewrote as (although I don't think it mattered because this code did not appear to be used.

/*
* Implementation of hook_access().
*/
function nodetable_access($op, $node, $account) {
switch ($op) {
case 'view':
return user_access('access tables', $account);
case 'update':
return (user_access('edit any table', $account) || (user_access('edit own table', $account) && ($account->uid == $node->uid)));
case 'delete':
return (user_access('delete any tables', $account) || (user_access('delete own tables', $account) && ($account->uid == $node->uid)));
default:
return FALSE;
}
}

beckyjohnson’s picture

Can you roll this into a real patch?