Users must have permission to "view published content" in order to create a node of any type. [#1368610]

Posted by karlos007 on December 12, 2011 at 4:26pm

6 followers

Issue Summary

Playing with this module. I want that user can create, edit own, view own. He can not view anything else. How to do that?
If i check: Type: Create new content then user still can not add node.
If I check: View published content then user can add node, but he also can view nodes of other users.

I tried whatever I could but /node/add seem to be depending on "View published content". Why?

Comments

#1

Posted by karlos007 on December 12, 2011 at 4:27pm

(i am using Domain module can that be problem?)

#2

Posted by karlos007 on December 12, 2011 at 10:35pm

Project:	Content Access	» Drupal core
Version:	7.x-1.x-dev	» 7.10
Component:	Code	» node system

Hm i made some research.
- All access modules are out.
- User has ONLY permission to create Page content type.
- User has "Access denied" on /node/add/page

Any logic reason for that?

#3

Posted by karlos007 on December 12, 2011 at 11:27pm

Category:	bug report	» support request
Priority:	major	» minor
Status:	active	» closed (works as designed)

Sorry my fault. Now clean install, Content Access, Domain and everything works well.
Solution: /admin/structure/types/[TYPE]/access - expand Advanced. Give content node grants priority to 10. Flush all caches, rebuild content permissions.

#4

Posted by jenlampton on February 19, 2013 at 2:13am

Title:	Why "access content" affects "create node"?	» Users must have permission to "view published content" in order to create a node of any type.
Version:	7.10	» 7.19
Category:	support request	» bug report
Priority:	minor	» normal
Status:	closed (works as designed)	» active

I think this may actually be a bug - perhaps it is by design, but if so I'd like someone to confirm that :)

My use case is this: I want to have people 1) create an account (user role: authenticated) and 2) create a profile (in this case, a node). After a review of their node, their user account gets promoted to one of several other roles, and those elevated roles have permission to "view published content" - but the authenticated user should not have this permission.

From my testing, this is impossible to do without an access control module since access to the node/add page (or any specific node/add/X page) is also controlled by the "view published content" permission.

Is this a mistake?

#5

Posted by jenlampton on February 19, 2013 at 4:05am

Version:	7.19	» 8.x-dev
Status:	active	» needs review

Okay, I think I found the problem.

There is a check in node_access for 'access content' without checking the $op, and it will always return false, even affecting node/add and node/add/X

Patches for 8.x and 7.x attached.

Attachment	Size	Status	Test result	Operations
core-fix_overly_restrictive_check_on_all_node_ops-1368610-5.patch	552 bytes	Idle	FAILED: [[SimpleTest]]: [MySQL] 52,225 pass(es), 3 fail(s), and 0 exception(s).	View details \| Re-test
core-fix_overly_restrictive_check_on_all_node_ops-1368610-5-do-not-test.patch	492 bytes	Ignored: Check issue status.	None	None

#6

Posted by System Message on February 19, 2013 at 8:38am

Status:

needs review

» needs work

The last submitted patch, core-fix_overly_restrictive_check_on_all_node_ops-1368610-5.patch, failed testing.

#7

Posted by andypost on February 19, 2013 at 12:03pm

Issue tags:

+Needs tests

This has overlap with #1818556: Convert nodes to the new Entity Field API
Anyway we needs fix tests and add new one

#8

Posted by jenlampton on February 25, 2013 at 12:32am

Status:	needs work	» needs review
Issue tags:	-Needs tests

Patches still apply cleanly, and locally the same tests are not failing for me, so re-queueing for more accurate test results.

#9

Posted by jenlampton on February 25, 2013 at 12:33am

Issue tags:

+Needs tests

Whoops, lost important tag.

#10

Posted by jenlampton on February 25, 2013 at 12:33am

#5: core-fix_overly_restrictive_check_on_all_node_ops-1368610-5.patch queued for re-testing.

#11

Posted by System Message on February 25, 2013 at 1:33am