With the new node-level access permissions, it is entirely possible for users in the same role, or having the same taxonomy term to edit each other's nodes. However when this happens, node_validate will transfer ownership of the node to the user who last edited it. I think this behavior should be changed so that original authorship is always maintained unless specifically transferred.

The problem lies in node_validate, here:

$node->uid = $user->uid ? $user->uid : 0;

Since an alteration such as this could introduce an exploit, I'm wondering what other's feel would be the best solution?

I was working on a role-based editing permissions module (based on JonBob's nodeperm_role.module) where the author of a node controls which groups can view/edit their post.

CommentFileSizeAuthor
#1 node_perm.patch655 bytesmatt westgate

Comments

matt westgate’s picture

matt westgate commented
StatusFileSize
new node_perm.patch655 bytes

Here is a proposed patch, which would then allow node authors to choose which users could view/edit their post.

moshe weitzman’s picture

moshe weitzman commented

seems simple enough to me. we ought to protect against unintentially changing the author, right? +1

dries’s picture

dries commented

Hopefully, this will become easier/clear as soon the revisions patch hit CVS. Let's revisit this soon.

tangent’s picture

tangent commented

As requested in this issue, it may be desirable for users with the permission to do so to change the owner of a node.

dries’s picture

dries commented

Waiting for the node revision patch to land.

killes@www.drop.org’s picture

killes@www.drop.org commented
Status: Active » Needs review

This patch still applies. I don't immediately see why this is related to the revisions patch.

moshe weitzman’s picture

moshe weitzman commented

is this still needed?

chx’s picture

chx commented

moshe, I think yes, as the offending line is stll in node_submit. Dries probably hoped that different revisions may have different uids. The possibility is there (look node_save and node_table_values and revisions_table_valuesIMO but that would require some study. For example, how should node access react to this?

matt's patch could be written a bit more elegant IMO so that it reads isset($node->uid) ? $node->uid : $user->uid .

moshe weitzman’s picture

moshe weitzman commented
Status: Needs review » Needs work
webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

subscribing.

ricabrantes’s picture

ricabrantes commented
Version: » 7.x-dev

This bug exist? Move to current version..

Jaza’s picture

Jaza commented
Version: 7.x-dev » 8.x-dev
Status: Needs work » Closed (fixed)

I doubt that this bug still exists. But the code originally mentioned here might still be around in a somewhat modified form. Anyway, closing.