I think I final understand this so here is my take which I hope might help others. These are the rules in order
'filter X' permission for the node filter must be enabled or can only view.
'administer nodes' if ticked gives you everything.
'access content' must be ticked or you get nothing.
Content access modules ONLY work on published nodes. Access grants are or'ed so a content access module won't control editing if you have also ticked "edit type X" permission as well.
Filter permission is interesting - I wonder if you can force a node to be php filter and then limit php filter to admin only? This may give some finer control. But I've not tried it.
On my site I have roles like member, contributor, editor etc. Members can view, contributors create but not publish, and editors can publish. Only published content is visible. To achieve this I've had to edit node.module. There seemed no other way to do it. Node.module has:
if ($op != 'create' && $node->nid && $node->status) {
....
So the access grants are only checked for published content. As far as I know this means that NO extra module can control permissions on unpublished content. What I have done is to comment out the section:
if (user_access('administer nodes')) {
return TRUE;
}
and instead or'ed this with $node->status as:
if ($op != 'create' && $node->nid && ($node->status || user_access('administer nodes')) ) {
....
'administer nodes' now gives access to unpublished content IF the role has permission for the published content. That allows my editor role to work with published or unpublished without being given carte-blanc for all content.
The final mod is below this:
// Let authors view their own nodes.
if ($op == 'view' && $user->uid == $node->uid && $user->uid != 0) {
return TRUE;
}
to add:
//Also allow authors to edit and delete unpublished nodes
if (($op == 'delete' || $op == 'update') && !$node->status && $user->uid == $node->uid && $user->uid != 0) {
return TRUE;
}
Which allows the author (contributor role) of a node to always edit it when it is unpublished.
Comments
Pre-publication
I'm just wondering, is there a way to give a specific role to view unpublished articles, but not to edit them? They may or may not have the ability to comment on these articles.
Alternatively, I may have to create a new book, called pre-publication, and only allow certain user access to it?
The above patches give
The above patches give content access modules (the one I use is call content access) control over each page type. I've just tested this with my page locked type (admin only edit) and the editor role can see that (if he knows the node number) but not edit it. The editor doesn't normally see unpublished page locked because I don't give the link and the generated content lists don't include it. But log in as an editor and type the right url and there is the unpublished content.
With the patches above the content access module controls who can view/edit/delete on a role by role basis for published and unpublished content. In fact content access should also do the work of the bottom patch so I'm not sure why I needed that. It may be that it isn't needed now with the higher patches but was put in first and never tried without. But my setup work so I'm inclined to leave it be :-).
www.fullcircuit.com