Posted by jamesJonas on January 16, 2008 at 6:47pm
| Project: | Feedparser |
| Version: | 5.x-1.x-dev |
| Component: | feedaggregator_node |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
Currently edit is restricted to the administrator or owner of a item. Here is the code:
function feedaggregator_node_access($op, $node) {
global $user;
if ($op == 'create') {
// Only users with permission to do so may create this node type.
return user_access('administer news feeds');
}
// Users who create a node may edit or delete it later, assuming they have the
// necessary permissions.
if ($op == 'update' || $op == 'delete') {
if (user_access('edit aggregator items') && ($user->uid == $node->uid)) {
return TRUE;
}
}
}As we are granting permission via access control, then the administrator is assuming that that role, even if they did not create the item, would have the ability to edit the node. The below changes seems to fix this issue.
function feedaggregator_node_access($op, $node) {
global $user;
if ($op == 'create') {
// Only users with permission to do so may create this node type.
return user_access('administer news feeds');
}
// Users who create a node may edit or delete it later, assuming they have the
// necessary permissions.
if ($op == 'update' || $op == 'delete') {
if (user_access('edit aggregator items') && ($user->uid == $node->uid)) {
return TRUE;
}
}
// role may be permissioned to edit the node, but not delete.
if ($op == 'update') {
if (user_access('edit aggregator items')) {
return TRUE;
}
}
}I have not fully tested this change.
Thanks for the module,
James