The patch submitted for http://drupal.org/node/15434 does not entirely prevent the submitter of a node from modifying role-by-role permissions when they actually don't have permissions to do so (if the site-admin has denied the permission to the particular role in the new workflow page).

nodeapi() for 'update' and 'save' needs to see if the user has the appropriate meta permission. If not, then update/save should just insert the default permissions (as set in the workflow) ONLY if byrole permissions haven't already been set at all.

If the user does have update permissions, then just save whatever came in via submit.

Perhaps this should be done during the validation phase??

Will let this digest for a couple of days.

-Ankur

Comments

ankur’s picture

ankur commented

committed to cvs HEAD

diff to previous version:
http://cvs.drupal.org/viewcvs/drupal/contributions/modules/node_privacy_...

This also fixes http://drupal.org/node/20143

-Ankur

Anonymous’s picture

(not verified) commented