due to a bug in project_access(), node_access contrib modules (simple_access, node_privacy_byrole, etc) can not grant permission to update or delete project nodes beyond node/project admins and the owner of the project. while i was at it, i cleaned up some related code and simplified some of the logic (since node_access() itself will grant users the permission to edit/delete their own nodes).

attached patch only applies cleanly to DRUPAL-4-7 branch. i'll followup with a patch that works for DRUPAL-4-7--2 and HEAD in a second.

CommentFileSizeAuthor
#3 project_access_break.patch.txt1.92 KBdww
#1 project_access_4_7-2.patch.txt1.26 KBdww
project_access_4_7.patch.txt1.14 KBdww

Comments

dww’s picture

dww
we/he/they
commented
StatusFileSize
new project_access_4_7-2.patch.txt1.26 KB

patch for DRUPAL-4-7--2 (applies to HEAD with minor offsets).

dww’s picture

dww
we/he/they
commented
Status: Needs review » Fixed

committed to DRUPAL-4-7, DRUPAL-4-7--2 and HEAD.

dww’s picture

dww
we/he/they
commented
Status: Fixed » Needs review
StatusFileSize
new project_access_break.patch.txt1.92 KB

see http://drupal.org/node/109442 -- stupid bug. i was forgetting to break; out of the $op cases, so 'view' was falling through and hitting the 'create' case's return FALSE. :(

heine’s picture

heine commented
Status: Needs review » Reviewed & tested by the community
dww’s picture

dww
we/he/they
commented
Status: Reviewed & tested by the community » Fixed

committed to HEAD, DRUPAL-4-7--2, DRUPAL-4-7 and DRUPAL-4-6. installed on d.o.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)