So maybe I'm just not understanding how this module works.

What I'm trying to do is provide a content type for jobs and a content type for applications. Then a user can create a job node and other users can create application nodes that reference the job node. I want the author of the job node to have permissions to view all of the application nodes that reference the job node. But I only want the authors of the applications to have permissions to view their own application nodes but none of the other applications.

So I created a node reference field on the application content type that references the job content type.

I then set Grant view access within the (if the user has update access to a referenced node) settings.

I then checked all three boxes under the (Grants for author) settings.

At least by my logic this should allow the author of the job node to view the application node and the author of the application node to view their own node but no other application nodes. Unfortunately it is not working. The author of the job node can not view the application nodes.

Any assistance here would be greatly appreciated. I have tried this with the dev version also.

Comments

danielb’s picture

Get the Devel module and activate the Devel Node Access blocks, see if what they say is consistent with what you expect?

xanderol’s picture

StatusFileSize
new121.81 KB
new92.91 KB

I activated the Devel Node Access module. With user1 I created a Job node called Job. Then with user2 I created an application node and called it application.

In my reference settings I checked all three boxes in the (if the user has update access to a referenced node) setting. I also checked the view box in the (Grants for author) settings.

When I view the application node the Node Access module shows that Users that may update referenced node Job may view/update/delete this node. But then in the Access permissions by user it shows that user1 only has the permission to update the node. So it seems to be Passing the update permission but not Granting the view and delete permission. I'm not quite sure what the difference is in the Pass and Grant. The Node Access module seems to think that user1 should be allowed all three permissions but user1 is not receiving them.

If I uncheck the boxes from the (if the user has update access to a referenced node) settings then check all three boxes in the (if user has delete access to a referenced node) settings, then the permission given to user1 changes to delete but provides no other permission.

If I check all three boxes in both settings then it provides no permissions at all to user1.

danielb’s picture

I'll try to figure out what might cause that, not easy though.

jestith’s picture

I'm certainly not an expert with this module, but I think I have a similar use-case problem that xanerdol has, but my site is using the Drupal 6 version: 6.x-1.14.

In my case, user jjones is the owner of a node (Article 4) referenced by the referring node. I see on the referring node:

node_access entries for nodes shown on this page
2183 0 ok nodeaccess_nodereference_update 2184 1 0 0 Users that may update referenced node Article 4 may view this node
By this I assume the user JJones who created the Article 4 node should also have update permission to that node, and hence should for the referring node receive view permission.

Access permissions by user
jjones NO: by the module NO: node access NO: node access NO: node access
But here it indicates jjones does not have view permission, and the user cannot view the node.

k1’s picture

I am having same problem. I think part of Xanderol issue is that the application node type is set to NOT publish.
I am unable to get this module to restrict access to my node reference. If I grant view access to my un-published node to the author of parent node, I get access denied message. When I publish the node, I don't get access denied message anymore but the node is accessible by everyone. I am using version 6x1.14
I have rebuilt permissions and cleared cache. what am I doing wrong? Thanks

Jman-1’s picture

I am having this same problem. I have a series of Project Documents which are related to Projects. The Project Documents should only be visible to the Users who are listed in the Project's Team Members Node Reference List. The Projects page is also editable by Users in the Team Member's list. In order to keep the Project Documents inaccessible to Anonymous Users I do not pass on View Rights, but I Grant View Rights if the User can Edit the Project Page. This is where things break down and the Rights don't get granted. The Author of the post and Admins are able to see the Project Documents, but other Team Members on the Project can not.

Any ideas?

mariusz.slonina’s picture

The offending line is (nodeaccess_nodereference.module 421-425):

/**
 * Implements hook_node_access_records().
 */
function nodeaccess_nodereference_node_access_records($node) {
 if (!$node->status) {
    // Don't create grants for unpublished nodes.
    return NULL;
}

I had to comment it to have my intranet site working.

mostou’s picture

I experience the same issue not being able to grant view permission, if the referenced user has update access. I don't know if it is a conflict between content access module and Node access node reference module. I have tried different weight options without seeing this issue disappear.

Reproduction of the error.

Modules:
Content Access 6.x-1.2
Node access node reference 6.x-1.4
Node access user reference 6.x-3.3

Users/roles:
User1 -> Role1
User2 -> Role1

Contenttypes:
Contenttype1 + user reference field
Contenttype2 + node reference field

Content:
Node1 of contenttype1 + user1 referenced
Node2 of contenttype2 + node1 referenced

Contenttype1 access rules
-------------------------
Content access: View any and own content enabled for Role1. Weight 0
User reference field: Grant update. Weight 0

Contenttype2 access rules
-------------------------
Content access: nothing. Weight 1
Node reference field: If the user has Update access, Pass on update and grant view. Weight 1

Everything works as aspected with node1 for user1 and user2. However the problem appears with node2 for user1. View access is not granted eventhough user1 has update access on node1. With the Devel module installed it seems user1 has update permission but no view permission on node2.

Should this be raised as a new issue?

Matthew Davidson’s picture

Version: 7.x-1.17 » 7.x-1.x-dev
Component: Miscellaneous » Code
Category: support » bug
Status: Active » Needs review

A foreach loop over all ops in nodeaccess_nodereference_calculate_grants() was breaking on the first grant found for an op, which meant that if you had multiple possible grants for a single op, only the first one found was returned.

Matthew Davidson’s picture

Whoops. Here you go:

danielb’s picture

Very good Matthew, we'll see what the others say. But it looks like a winner, and I'm sorry you had to read that code.

xanderol’s picture

I just gave Matthew's patch a try and it does indeed seem to do the trick.

Thank you for squishing the bug Matthew and thank you for an excellent module danielb :)

drupalmeister’s picture

By the way, interesting that no one mentioned it, but the issue in this thread seems to be the same one brought up in this post: http://drupal.org/node/1116920

(Pay attention to new code by module author at this comment http://drupal.org/node/1116920#comment-4506586)

drupalmeister’s picture

If it's breaking on the first round of the loop, why is it breaking if you just have the module grant 'view' access [If the user has update access to a referenced node]?

Thanks so so much for taking the time to look at the code and fix it. It would certainly help a lot of people who are experiencing issues, including myself...

mostou’s picture

Thanks alot Matthew - it works for me too on 6.x-1.14

Drupalmeister I did notice the other issue, I just assumed this was another case since http://drupal.org/node/1116920 was closed as fixed and was a issue related to 6.x-1.10 - so I assumed that fix was already included in 6.x-1.14. I haven't checked though.

drupalmeister’s picture

Hi mostou,

I'm actually running the 6.x version which includes the added code that was suggested by danielb in order to fix that issue, but I still have the same problem.

I would love to hear from others if they had success in fixing this issue.

You can take a look at my comment here http://drupal.org/node/1116920#comment-5223442 where I describe the problem I have. Seems to me like the issue in both threads is the same.

Do you think I should use the patch in this thread to try to solve it? The patch refers to line 667 which has a function called nodeaccess_nodereference_field_delete_instance, but the 6.x version does not contain this function nor does it even have line 667 (the file ends on line 637).

I could try to patch only the first part (the if statement) and see if it helps.

drupalmeister’s picture

Alright, I'm glad to report that applying part of Matthew Davidson's patch did the trick.

I just implemented this part of the patch:

diff --git a/nodeaccess_nodereference.module b/nodeaccess_nodereference.module
index d2f76e9..63bfb06 100755
--- a/nodeaccess_nodereference.module
+++ b/nodeaccess_nodereference.module
@@ -183,8 +183,10 @@ function nodeaccess_nodereference_calculate_grants(&$grants, $op, $account) {
           if ($node_access) {
             // Add the reference as a grant on the relevant realm.
             $rights['nodeaccess_nodereference_' . $operation][] = $reference;
-            // Nothing more we need to do for this reference.
-            break;
+            if (!$cross_access[$op]) {
+              // Nothing more we need to do for this reference.
+              break;
+            }
           }
         }
       }

Basically, all this does is add if (!$cross_access[$op]) around the break; statement.

and that was it.

Thanks so much Mathew. I really appreciate it.

I wish if you could please explain what was going wrong, and possibly if the module author can also look at this, would be real great.

Thanks again.

danielb’s picture

Status: Needs review » Fixed

Basically there is some code that 'quits' the access checking when it predicts nothing more can be done. I added that just to squeeze a little more performance out of the function, but I didn't consider all the possible scenarios I guess, so that's what Matthew's if-statement improves.

I have committed this to 6.x-1.x and 7.x-1.x

drupalmeister’s picture

Hi danielb,

First, thanks so so much for this great module. It's super cool.

I was wondering if after installing this patch by Matthew it's still necessary to run the function nodeaccess_nodereference_init() code you added in this post http://drupal.org/node/1116920#comment-4506586

I was wondering if both fixes are necessary or not.

Thanks a million

danielb’s picture

Status: Fixed » Needs review

Thanks for pointing that out. I don't know at this stage if that is unnecessary, I hope so, because using hook_init() to do anything kinda sucks.

mostou’s picture

Updating to 6.x-1.15 solved my issue. Thanks Matthew and danielb!

danielb’s picture

Status: Needs review » Fixed

I've removed the hook_init() in the git code, so this issue is now resolved.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.