Defaults not taken for new submissions [#25436]

Comment #1

bwynants commented 21 June 2005 at 13:11

changes made:

case 'validate':
if (variable_get('node_privacy_byrole_enabled', FALSE)) {
_node_privacy_byrole_set_defaults($node);//, !$user_has_meta_perm);
}

and

case 'insert':
if (TRUE) {//($user_has_meta_perm) {
node_privacy_byrole_save_permissions($node);
}
break;

this seems to fix it!

Bert

Log in or register to post comments

Comment #2

bwynants commented 22 June 2005 at 07:54

Please take only the insert fix, the other piece was correct.....

case 'insert':
if (TRUE) {//($user_has_meta_perm) {
node_privacy_byrole_save_permissions($node);
}
break;

Log in or register to post comments

Comment #3

ankur commented 29 June 2005 at 17:42

Assigned:

Unassigned

» ankur

A patch has been committed to HEAD, DRUPAL-4-6.

The solution posted above will work but is not secure. This is because a user who does NOT have the meta-permissions will be able to, if they know how, to manipulate the post variables so that they input permissions different from the default.

To see the committed change, please consult
http://cvs.drupal.org/viewcvs/drupal/contributions/modules/node_privacy_...

-Ankur

Log in or register to post comments

Comment #4

ankur commented 29 June 2005 at 19:12

After careful examination of the issue posted by degerrit at http://drupal.org/node/23301, the committed patch was incorrect.

The statements added for the 'update' case in the function node_privacy_byrole_nodeapi() shouldn't have been added. A fix has been committed to HEAD, DRUPAL-4-6.

Really, it just undoes some of the lines added in the previous commit:
http://cvs.drupal.org/viewcvs/drupal/contributions/modules/node_privacy_...

-Ankur