Home » Download » Drupal project » Drupal » Issues

"administer nodes” permission needed to preview / submit on a node where user has “create” permissions granted.

dnuss - March 20, 2007 - 00:58
Project:Drupal
Version:5.1
Component:node.module
Category:bug report
Priority:normal
Assigned:Unassigned
Status:active
Description

Module: node.module

node.Info
version = "5.1"
project =

"drupal"
node.module // $Id: node.module,v 1.776.2.1 2007/01/29 21:51:53 drumm Exp

$ Issue: "administer nodes" permission needed to preview / submit on a node where user has "create" permissions granted.

Test Environment: Platform: Windows XP, XAMPP, APACHE, PHP 4.4
IDE: NuSphere PhpED Version 4.6.3 Professional
Debugger: Integrated with NuSphere
Theme in use: "chameleon" theme

Observed Problem:node->created field not getting set to default causes exception in function.gmdate() because of negative $timestamp value.

Conditions to Test / Verify Problem exists:

  1. Create authenticated user
  2. Make sure authenticated user does NOT have "administer
    nodes" permission in node module permissions
  • Make sure authenticated user DOES HAVE "create story"
    permission in node module permissions
  • Create content for "story" type and click "PREVIEW"
  • With Devel module installed, you will get exceptions reported as "warning: gmdate() [function.gmdate]: Windows does not support dates prior to midnight (00:00:00), January 1, 1970 in D:\Program Files\xampp\htdocs\drupal-5.1\includes\common.inc on line 1088."

    • Debug Procedure Used:

    1. Using debugger in PhpED, set breakpoint at entry point into function "format_date"
    2. Examine $timestamp value being passed in - NULL
    3. Set breakpoints at various entry points in modules / functions in call stack to try to find where thenode->created date is not getting set ( and where is it supposed to get set )

    Problem Found:

    1. function node_object_prepare(&$node) is called, node being referenced does not have a "created" date set
    2. A test is made to see if user has "administer nodes" permission ( FAILS, user does not have that permission
    3. Setting of $node->created is bypassed, as is setting of $node->date
    4. Following the code all the way through to the function "format_date" verifies that the$node->created remains a NULL value, and when the timezone offset is applied, the $timestamp is a negative number and the gmdate function "barfs"…..

    Possible Remedies

    1. setting "administer nodes" permission for the authenticated user prevents the problem. If this is by design, then there is no bug. But needs lots of explanation as to why the permissions are designed that way. "Create" permission implies all the permission you need
    2. changing code in node_object_prepare() to check for
      • what type of node it is
      • test to see if "create" permission is granted for that type for that user instead of testing for "administer nodes" permission
    3. Eliminate the test entirely in node_object_prepare() based on these assumptions ( which needs to be verified )
      • That somewhere else in the form processing sequence, there should be appropriate tests to see if user can "create / edit / delete " content and stop the process gracefully long before node_object_prepare is called
      • That at the time node_object_prepare is called, what good is NOT SETTING a default date if the logic simply passes on the next code sequence where it allows a date to get "barfed" and possibly result in data integrity issues

    As a relative newcomer to Drupal, I do not have the appropriate knowledge ( yet ) to determine which of the remedies ( or even the assumptions ) is the most appropriate.

    Therefore, I have submitted as a bug and look forward to some discussion on where to go from here.

    » Login or register to post comments
     
     

    Drupal is a registered trademark of Dries Buytaert.