I have been added as a co-maintainer for sections. Now I see the "Edit" link in "Releases", "Development snapshots" table on page "d.o./project/sections" and if i click the "Edit" link i get an "access denied" page. I think the "Edit" link shouldn't be visible if i don't have the permission to edit the release, isn't it?

Aside the "Edit" tab on top works, well.

CommentFileSizeAuthor
#9 161552_project_check_admin_access.patch_1.txt2.07 KBdww
#5 161552_project_check_admin_access.patch.txt1.79 KBdww

Comments

dww’s picture

dww
we/he/they
commented
Status: Active » Postponed (maintainer needs more info)

a) Please provide specific links to the release nodes in question.

b) Do you consistently get access denied for all release nodes you're trying to edit, or just a few?

c) You should be able to edit release nodes for that project now. If you can't, it might be a case of, for example, the input filter set to full HTML for some reason, which you don't have permission to use. That's actually a pain in the ass for project_release.module to get right with this feature of letting everyone with CVS access edit the release nodes. That feature depends on testing access based on the project, not the specific release node. Otherwise, there's no way to give you permission to edit release nodes created by Ber. But, since we're not testing access on the release node itself, if something other than the project ownership and CVS access was causing the access denied (input filter, etc), then project_release won't know, and will print the edit link anyway.

So, this is probably "by design", but I need more info before I can say for sure.

hass’s picture

hass commented

a) http://drupal.org/node/95181/edit access denied. tested some minutes ago

b) yep, i consistently get access denied. there is only one release yet, so i cannot test others.

hass’s picture

hass commented
Status: Postponed (maintainer needs more info) » Active

maybe get this back into your radar :-)

GoofyX’s picture

GoofyX commented

I posted a similar question here, but received no answer so far.

dww’s picture

dww
we/he/they
commented
Assigned: Unassigned » dww
Status: Active » Needs review
StatusFileSize
new 161552_project_check_admin_access.patch.txt1.79 KB

Turns out this is another bug introduced by http://drupal.org/node/151892. :(

When project_check_admin_access() was ported to use project_use_cvs(), we were passing in the $project variable which in some cases is just a nid, and in other cases a full project node object. We really need to use $project_obj, which is always the full node object. Attached patch solves it via local testing.

hass’s picture

hass commented

I know this is OT here, but maybe you are able to take a look why i don't have the "Add release" link? Maybe related to this problem, too :-)

GoofyX’s picture

GoofyX commented

Same here. :-)

hunmonk’s picture

hunmonk commented
Status: Needs review » Needs work

@hass -- if you know it's OT, then please file another issue.

@dww -- might be a good idea to move that object loading logic right into project_use_cvs(), which would make the function more flexible and prevent these problems going forward.

dww’s picture

dww
we/he/they
commented
Status: Needs work » Needs review
StatusFileSize
new 161552_project_check_admin_access.patch_1.txt2.07 KB

And, just to defend ourselves from future bugs of a similar nature, new patch that adds code to project_use_cvs() to handle either nids or full node objects. Since node_load() is caching everything, anyway, it doesn't really hurt.

dww’s picture

dww
we/he/they
commented

@hass and goofyx: same bug.

hunmonk’s picture

hunmonk commented
Status: Needs review » Reviewed & tested by the community

looks good.

dww’s picture

dww
we/he/they
commented
Status: Reviewed & tested by the community » Fixed

Committed to HEAD and DRUPAl-4-7--2. Installed on d.o.

GoofyX’s picture

GoofyX commented

Nice. Thank you guys!

hass’s picture

hass commented

THX...

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)