there doesn't seem to be any way to create content from template

I tried it from superuser as well as other user roles with the node_templates permissions. No matter who creates the templates or who trys to list them, there are never any options under operations except for delete / share.

No, it wasn't a special node type. Just a regular "Page" content type. I can't figure out what I'm doing wrong. I even installed it on a new installation of drupal, and I still don't get any options under "operations" except for delete and share. Its very weird, I feel like it must be a user error somewhere (that I'm not using the module properly) but I can't find anything else to test. I use a standard "page" will the same Input Format. The admin account has access to everything, and yet I still don't have any way of using the template that appears in the /nodetemplates list. I've attached a screenshot so you can see if it looks right. I really would love to get this working as I have a very strong need for it but I'm not sure where else to look.

I've read through the code line by line, and I find where you set $can_duplicate but I can't see what the problem is. If i use user1, create a plain old page, set template, then goto "my node templates" duplicate does not appear (both with and without share enabled). The only way I can get "duplicate" to appear is to set $can_duplicate to "true" manually. I still don't know enough about drupal development to understand how you are setting $can_duplicate to spot the problem.

I can tell you that $function is being set to "page_access" on line 457 and that

			if (function_exists($function)) {
				$can_duplicate = $function('create', $row) ? TRUE : FALSE;
				dvm($can_duplicate);
			}

does not get executed so the "function_exists('page_access')" is not true. I'm thinking it must be a permission check of some kind based on the content type, but I have no clue how to fix it. And I can't figure out why I'm having a problem that no one else is.

Any insights?

I think there's more going on here with permissions. From issue http://drupal.org/node/154430 it seems like people should only be seeing templates they create or those marked shared. I set up a few test users, and they see all templates, whether or not they are shared. But i just installed this module into a fresh install, so I'm not sure what I could be doing that no one else is.

they are also seeing templates listed they don't have access to (that is, they get "access denied' when they click on the title to view the node set as a template). Anyway, i'm completely lost here as to 1) how this is supposed to work and 2) why it's not working that way.

Hi motou---

thanks for taking a look and posting back. I've actually been working on this since posting last night, and I've got it working for my needs. I couldn't figure out how the existing nodetemplate_list was working, so I ended up doing some research and rewriting the WHILE loop that lists the nodes.

I'm pretty new to drupal and I have no experience with any version other than 5, so I don't know if my code will work for 4.x versions, but here's what I came up with:

while ($row = db_fetch_object($result)) {

	if ($row->node == 1) {

		//determine user access to template node
		$shared = db_result(db_query('SELECT shared FROM {node_template} WHERE nid = %d', $row->nid));
		if (($row->uid == $user->uid) || ($user->uid == 1)) {
			$access = true;
		}
		else {
			$access = (filter_access($row->format) && node_access('create',$row->type) && node_access('view', $row) && $shared);
		}

		//only list node if user has access
		if ($access) {

			$can_delete = ($user->uid == $row->uid)? TRUE : FALSE;
			if (user_access('delete node template of others')) $can_delete = TRUE;
			$can_share = user_access('share node template') && ($row->uid == $user->uid);
			if ($user->uid == 1) $can_share = TRUE;

			$owner = ($user->uid == $row->uid) ? $user->name : db_result(db_query('SELECT name FROM {users} WHERE uid = %d', $row->uid));
			$sharetitle = ($shared == 0)? t('share'):t('unshare');

			$rows[] = array(
				node_get_types('name', $row->type),
				l($row->title, "node/$row->nid"),
				$owner,
				$row->status ? $yes : $no,
				format_date($row->changed, 'small'),
				$row->shared ? $shared_mark : '',
				l(t('duplicate'), "node/$row->nid/template/clone"),
				$can_delete? l(t('delete'), "nodetemplates/delete/$row->nid") : '',
				$can_share? l($sharetitle, "nodetemplates/share/$row->nid") : ''
			);
		} //end if access
	} //end if node
} // end while

To sum up the access rules:

1. if the user is the owner of the node or admin (uid = 1), access is granted
2. if the user is not the owner or admin, then it checks input format access, content type creation access, node view access, and if the template is shared. If any of those are false, then access is false and the node is not included in the list. This prevents users from receiving "access denied" messages when attempting to use a node template for a node they have no access to.

BTW node_access works with all content types in drupal 5 btw-- book, forum, custom types, etc. very nice. I just have to check it against my production site, which is using og and og_user_roles, to see if it will behave as expected there of if I have to do some additional access checks to pickup that access control as well. Hopefully it will.

The other changes I made were:
1. users can only share/unshare their own templates (except for user 1 which can share/unshare all templates). This prevents other users from unsharing a node shared by someone else.
2. don't need to check for $can_duplicate, if the node is listed, the duplicate operation is always there (since access permissions are checked before listing a node).

I've attached a patch to the 1.9 version but I'm developing on windows so I'm not sure I've figured out how to properly roll a patch yet-- let me know if it works. It would be great if you included the changes above into the module so I don't have to maintain it separately, but it's up to you of course.

I do have one remaining question-- do any of the access control checks I do in the WHILE loop need to be added to nodetemplate_menu somehow? In other words, can users still do unpermitted operations (especially sharing/unsharing someone else's template) by typing the URL directly into the browser? let me know...

thanks again for responding. and if there's anything else I can do to help, let me know.

forgot... I left your rule #4 above in because I could imagine a scenario where perhaps everyone is permitted to share templates but maybe a certain group of "editors" or something have control on templates and need to be able to delete templates that are owned by others. That's probably how it will work in my application. Group owners will get the "delete templates of others" permission.

actually, the more I think about this... I'm wondering if the permissions should be:

access node templates: list/duplicate "shared" templates and create/share/delete/duplicate your own node templates
and
administer node templates: create/share/delete/duplicate templates of your own AND others (all templates)

In both cases, abilities would always be subject to node_access permissions first and admin would always be able to do all.

what do you think?

one cannot share the template of others. The problem I ran into with my users was that they thought they should be the ones that control the sharing / unsharing of their templates. They didn't want someone else to be able to decide to share a node of theirs-- they wanted to be the one to decide if their node should be a shared template. They didn't like the idea of someone else sharing their template-- because they consider themselves the owner of their nodes.

Most of my site is organized based on "contributors" who can only create and edit their own content and "editors" who can create and edit anyone's content, so that's probably why I ran into this issue.

Is that something you don't think is a generally applicable perception?

Also, regarding the permissions-- mostly I was trying to figure a more intuitive way of separating them. But there again, I'm approaching it from my use case with contributors and editors, it may not be universally applicable.