I'm having problems in which a user without "create new book" permissions is still being allowed to create a new book. Here's the situation:

1. The user has "create book page" but does not have "create new book" permissions
2. The user does not belong to any role that has "book editing" permission according to Book Access

When this user select Create Book Page, the form's Parent selection menu is empty, but the user is permitted to submit a new book page. Consequently, a new book is created. This shouldn't be allowed...should it?

Can anyone else confirm this error? Or is my setup (5.7, OG 7.1, TAC) messing things up?

I'm really new to Drupal and all of the conventions, but can something like this fix the problem:

if ($options) {
  foreach ($options as $nid => $value) {
    if ($nid > 0 && !isset($permitted_nids[$nid])) {
      unset($options[$nid]);
    }
  }
}

to

if ($options) {
  foreach ($options as $nid => $value) {
    if ($nid > 0 && !isset($permitted_nids[$nid])) {
      unset($options[$nid]);
    }
  }
  if(!$options && !user_access('create new book')){
    form_set_error('parent', t('You do not have permissions to add to any of the books, nor to create a new book.'));
  }
}

Comments

add1sun’s picture

Seems like something that Book restrict would help cover. I think that module should be merged into Book access instead of needing two modules to really cover common book access needs. Issue posted over there about merging the two: #287912: Merge with book access module?

add1sun’s picture

Status: Active » Closed (duplicate)

Actually this also seems like a duplicate of #227220: Anyone with 'Publisher'-type access can add new pages.