If a user has 'create book page' permission but not 'create new books' permission, when they attempt to create the first book page in the database, the parent selection drop down will be blank and the book page will be created with no parent (a top level book page or new book).

CommentFileSizeAuthor
#1 create_first_book.patch.txt793 byteserdemkose

Comments

erdemkose’s picture

Version: 5.1 » 6.x-dev
Status: Active » Needs review
StatusFileSize
new793 bytes

This bug still exists in current development version. Attached patch is for 6.x-dev. I hope that somebody will backport it.

erdemkose’s picture

Priority: Minor » Normal
pwolanin’s picture

Version: 6.x-dev » 5.x-dev

This should be fixed already in 6.x - I'm not sure whether it's truly a bug in 5.x.

ainigma32’s picture

This one's really old but I tried this on 5.7 and I can confirm the behaviour as described in the original issue is still current.

I also tested the patch from #1 and it seems to work as designed. Code review of the module found some minor formatting issues but nothing that has to do with this patch.

I only see two drawbacks:

  • the need to add a query (but I don't see how we can avoid that in this case)
  • if a user was already logged in when the first book is created, he/she will still get an access denied message untill the cache is flushed (not sure which one) Because that only happens when you are setting up the site I suppose that's not much of an issue.
drumm’s picture

Status: Needs review » Needs work

The query is now always executed, even though it is not always used. I would recommend expanding the return statement into an if statement or two, where the query is only run when needed.

ainigma32’s picture

How about someting like this?

/**
 * Implementation of hook_access().
 */
function book_access($op, $node) {
  global $user;

  if ($op == 'create') {

    // Only registered users can create book pages. Given the nature
    // of the book module this is considered to be a good/safe idea.

    //if the user is allowed to create books we don't need to check any further
    if(user_access('create new books')) {
      return TRUE;
    }	

    if(user_access('create book pages')) {
      // If the parent of the page is the top-level we need to check whether or 
      // not there are any books present. Otherwise the new page would have no 
      // parent and that would result in a new book without the necessary permissions.
      if($node->parent == 0) {
        $count = db_result(db_query("SELECT COUNT(*) FROM {book}"));
        return user_access('create book pages') && ($count > 0);
      } else {
        return TRUE;
    }
  }
  return FALSE;
}
dpearcefl’s picture

Status: Needs work » Closed (won't fix)

Considering the time elapsed between now and the last comment plus the fact that D5 is no longer supported, I am closing this ticket.