This is a possible bug.

Start with a fresh installation of Drupal 6.2 with default permissions/roles for users. Install the blog module.

0. Login as Administrator
1. Allow anonymous users to create a blog entry by changing the permissions for anonymous users (see under permissions for the blog module)
2. Save settings
3. Log out
4. Click on create content
5. "Blog Entry" should appear as one the content types (we allowed it after all in point 1 above) but it does not

Thanks,

Sidharth

Comments

damien tournoud’s picture

damien tournoud commented

In blog_access(), posting by anonymous users is explicitly forbidden:

    case 'create':
      // Anonymous users cannot post even if they have the permission. 
      return user_access('create blog entries', $account) && $account->uid ? TRUE : NULL;

So this seems voluntary, but I don't know why.

sidharth_k’s picture

sidharth_k commented

This does not seem to be the case for Pages etc. If anonymous users have been given permissions to create Pages then they are able to... why are blog entries treated specially?

valdemar’s picture

valdemar commented

I believe this is because blog entries are associated with a user when they are created; each entry is placed into the blog of the user that created it. This wouldn't work with anonymous users because Drupal doesn't know which blog to put it into. I'd suggest using stories if you want anonymously submitted content.

Susurrus’s picture

Susurrus commented

Then shouldn't this restriction be better documented?

damien tournoud’s picture

damien tournoud commented

The issue is tricky.

  • D7 now has description for permissions. But blog permissions does not document that restriction -> this needs patching.
  • In parallel, there are discussion going on (for D7) about revamping the permission page to restrict classes of choices to some roles (#248598: Label permissions which are warned about in the user interface).
  • There is no real solution I can think of for D6.
thomas23@drupal.org’s picture

thomas23@drupal.org commented
Version: 6.2 » 6.8

Any news on this? I created a subset of a site based on the assumption (derived from permissions page) that anonymous users actually can post only to find out just before going live that it doesn't work... bummer!

Well, anyway. I don't get the point of drupal not knowing where to "put the entry". Isn't that based on the author? I.e. when I create an entry (type blog) and thereafter change the author that post will not appear under /blog/userX any longer. But rather it is listed on the blog page of the "new" author. And on the other hand drupal has user 0 for anonymous. The node table has:

nid 	vid 	type 	language 	title 	uid 	status 	created 	...

uid becomes "0" for anonymously posted stories. So why not do the same for blog posts?

Another question:
What change would I do -- especially security wise -- if i was to remove <?php && $account->uid ?> check? Maybe user/0 doesn't have an account "object"?

As you'll have noticed I'm not a php coder so bare with me. Hope to read comments and learn more here soon.

Cheers.

Alexander Kosarev’s picture

Alexander Kosarev commented

Anonymous is user with uid 0 - unauthorized user. So, if admin grand access to create blog entries for anonymous users why "anonymous blog" can not exists?

behind_vampire’s picture

behind_vampire commented

Is there any solution available except using stories in alternative to blog?

spicietx’s picture

spicietx commented

This is a bug in block.pages.inc. This bug exists as of 6.13.

Even when an authenticated user or anonymous user has permission to edit his own entry, Create Blog link does not appear. This is because in the code it incorrectly checks for user access:
if (user_access('edit own blog')) { //this permission does not exist!
$items[] = l(t('Create new blog entry.'), "node/add/blog");
}
should be changed to:
if (user_access('edit own blog entries')) {
$items[] = l(t('Create new blog entry.'), "node/add/blog");
}

reinis.berzins’s picture

reinis.berzins commented
Version: 6.8 » 6.19

The problem still persists in Drupal 6.19, although the modules/blog/blog.pages.inc (not block.pages.inc) has been corrected in a different way:

if (user_access('create blog entries')) {
$items[] = l(t('Create new blog entry.'), "node/add/blog");
}

quiron’s picture

quiron
Primary language Catalan
Location Barcelona
commented

Hi,

I have the same problem and I solved it as following, but I don't know the possible security/functionality consquences, anyway it works good for me

In the file blog.module (wwwroot/modules/blog/blog.module) there are the hook_access that implements the access control to the nodes. There is the line:

return user_access('create blog entries', $account) && $account->uid ? TRUE : NULL;

if we change it to:

return user_access('create blog entries', $account);

We have the problem solved.

I hope this solution can help anyone

Note: hacking the core is not a recommended solution.

grendzy’s picture

grendzy commented
Status: Active » Closed (works as designed)

I agree with #5 that there's no solution for d6.

see #404240: Blog module permissions' descriptions should reflect irrelevance to anonymous users

armanschwarz’s picture

armanschwarz commented

Why is this such a big discussion? Just remove the irrelevant validation as suggested by #11 in the next patch... problem solved...

grendzy’s picture

grendzy commented

Jason: blog.module is obsolete anyway, you can create a blog content type with CCK that does what you want.