Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By orthoducks on
I want to restrict users with a certain role so that they can edit and delete only their own content, not others'. It seems to me that I should be able to do that on the Permissions page by checking each of the "delete/edit own... content" items, and clearing each of the "delete/edit any... content" items. But this doesn't work. With those permissions set, the user can still see and edit any node.
When I discovered this, I thought that "access content" might have something to do with it, so I cleared that item, but nothing changed. That made me wonder what "access content" does; I initially assumed that it would prevent a user from even displaying others' content, but it doesn't do that, either.
I also wonder what "administer nodes" does. I discovered that it has to be checked to make Drupal display the "Content management » Content" menu option, but in that context it seems redundant with the "delete/edit... content" items, and I can't find a clear explanation of what else it does in the documentation or the forums.
Comments
Administer nodes is sort of
Administer nodes is sort of the super-power of content management -- granting a role that permission effectively lets users with that role do anything and everything to ALL nodes. Edit, delete, change the created date, etc.
Not sure why that particular menu option is linked to the permission on your site, but you definitely want to uncheck "administer nodes" -- then your other "delete/edit own..." settings should work as you intended.
Catch-22
I'm not sure why either, but I just unchecked "administer nodes" and it returned me to where I started: the menu entry for the Content page no longer appears in the menu. I'm in a Catch-22: if I check "administer nodes" my users can edit everything, and if I uncheck it they can't get to the Content page and can't edit anything.
I guess I could write my own menu handler or my own Content page, but it doesn't make sense that I should have to do that kind of thing. I would much rather figure out how to unjam the door, so to speak, than cut a hole in the wall.
I wonder if
I wonder if this is a side effect of setting or not setting some other Permissions item that I do not fully understand? Here's what I've got for the role in question:
block module
administer blocks: no
use PHP for block visibility: yes
devel module
access devel information: yes
display source code: yes
execute php code: yes
switch users: yes
filter module
administer filters: no
menu module
administer menu: no
node module
access content: no
administer content types: no
administer nodes: yes/no
create page content: yes
create story content: yes
delete any page content: no
delete any story content: no
delete own page content: yes
delete own story content: yes
delete revisions: no
edit any page content: no
edit any story content: no
edit own page content: yes
edit own story content: yes
revert revisions: no
view revisions: no
path module
administer url aliases: no
create url aliases: no
sections module
administer sections: no
system module
(all items: no)
taxonomy module
administer taxonomy: no
tinymce module
access tinymce: yes
administer tinymce: no
user module
(all items: no)
Later -- I tried creating my own menu, which would at least give me a functioning prototype while I figure out what is wrong, but it didn't work. I got the menu, all right, but when I tried to click the "Content" item I got Access denied: I did not have permission to use the page.
So when "administer nodes" is cleared to make Drupal enforce the user's permissions, Drupal not only won't display the Content page through a standard menu, it won't let the user access the page at all.
I think...
..you have to allow "access content" or the user won't be allowed to access ANY content, including their own. That is my understanding anyway. Originally, I had that turned off for anonymous users and turned on for authenticated users and as a result, anons couldn't access anything past the front page aside from the user login/regiatration. I turned it back on because I wanted them to be able to access a "benefits of membership" page linked from front page and used an access control module to set permissions for the rest of the content.
There are several ways to keep people from accessing other's content- including a couple of modules- I think "permissions" is one...or something like that.
Not here...
As I mentioned in the OP, I have tried it with "access content" both on and off, and I saw no difference. I just tested the behavior you described, and did not observe it; with "access content" turned off, I had no trouble accessing the other pages of my site.
I really thought it might be "access administrative pages," but when I turned that on, I again saw no change.
I tried sending my "Delete or edit" menu item directly to the content editing page for a specific node, bypassing the Content page, and I still got "Access denied."
I should be able to restrict the user to editing her own nodes and still get to the content editing page by writing my own replacement for the Content page and turning "administer nodes" on, but that's really, really ugly. I should not have to grant unlimited node permissions to let the user edit an owned node.
I'm reluctant to suggest this at my current level of familiarity with Drupal, but it looks like a bug -- a bug in a pretty basic part of the system. I've spent half a day trying to find something I've missed, but there's nothing.
Oh dear...
I should have paid attention to the fact that you're using Drupal 6. I installed 5 because the modules I need are in 5 and I'll upgrade later when 7 comes out.
Perhaps you have found a bug...or something they just forgot to put back in when redesigning.