One of the items that came out of the Node Access sprint in Szeged was a consensus that the 'administer nodes' permission is far too broad. We envision a pluggable node access system that requires some elements of 'administer nodes' to be retained, while others a moved to the new 'bypass node access' permission.
This permission allows a role to View, Edit, or Delete all nodes at all times. This ability is taken away from users with 'Administer Nodes' who are now able to access and edit all information about a given node -- publication date, revisions, and so forth -- but must still follow node access rules. Doing so will allow for the sort of fine-grained editorial workflows that are common for node access modules like OG.
The attached patch introduces the new permission and includes a testing stub.
Comment | File | Size | Author |
---|---|---|---|
#21 | bypass_node_access.patch | 4.17 KB | agentrickard |
#12 | bypass.patch | 5.66 KB | agentrickard |
#6 | mw.patch | 4.58 KB | moshe weitzman |
bypass_node_access.patch | 3.26 KB | agentrickard | |
Comments
Comment #1
agentrickardComment #2
catchI really like this, a couple of questions though:
You've not changed the permissions on admin/content/node - how do you see that working with this? There should also be an upgrade path to ensure users with administer nodes get both permissions.
The various node operations should be split into smaller permissions, but that's a follow-up patch and this one gets us a step closer to that.
Comment #3
agentrickardGood point. That may just be an oversight, but I am pretty sure it is a deliberate omission from this patch. The problem with admin/content/node right now is that it does not obey node access rules (the old db_rewrite_sql). I think the proper solution is a new permission for that page, 'batch content editing' or similar.
Thoughts?
Comment #4
agentrickard@catch
See #305991: Administer nodes: split 'batch content editing' to new permission for the separate patch
Comment #5
moshe weitzman CreditAttribution: moshe weitzman commentedLooks like a great patch to me. Code is good. If the unit tests pass, is RTBC.
Not really relevant to this patch, but that node.test section looks wrong to me. There is no assertion after the node_delete() call so we are not caring if the call fails or not. On top of that, node_delete is an API function and should not even have any access control check. We already check for access in node_menu('node/%node/delete'). We are better off doing a drupalGet("node/$nid/delete"). That does the needed checks.
Comment #6
moshe weitzman CreditAttribution: moshe weitzman commentedI code and reviewed and tested this patch and it is RTBC. I changed the description and white space in the node.test because it didn't make much sense (that code predates Ken's patch). So here is a new patch with no new logic in it.
Comment #7
moshe weitzman CreditAttribution: moshe weitzman commentedI forgot to mention that we should probably add an update function so we give this perm to all roles that have administer nodes. thats pretty easy now with the new role_permissions table.
Comment #8
agentrickardI think catch is right, we may also need an update function to give this permission to D6 users with the 'administer nodes' permission. Will try a re-roll later this week (unless it is too early in the patch cycle for that).
Comment #9
agentrickardWe cross posted.
Let's worry about the update function later, then. After this gets in.
Comment #10
webchickEr? Since when do we let patches in without an upgrade path?
We tried that with the menu system during the D6 cycle and it involved a weeks-long clean-up. Not eager to repeat that again. :P
Comment #11
agentrickardNot a problem.
Comment #12
agentrickardNew patch, with DBTNG update function. Tests pass.
Comment #13
moshe weitzman CreditAttribution: moshe weitzman commentedLovely use of db_insert() in update.
Comment #14
agentrickardCrell wrote that after I handed him the original (D6) code. :-) So he gets partial patch credit!
Comment #15
Crell CreditAttribution: Crell commentedSubscribe. :-)
Comment #16
webchickI'm quite sure the permissions revamp thing I committed earlier broke this. Sorry. :\ Should be a pretty quick re-roll.
This looks like a nice change, and I'd like to get it into UNSTABLE-2. Can someone confirm they tested the upgrade path?
Comment #17
webchickComment #18
Crell CreditAttribution: Crell commentedUm, link to the permission revamp thing so we know what happened? :-)
Comment #19
webchickYou mean you guys aren't following every last character on the core commit list with keen interest? ;)
#313213: Fix broken localization for permission names
Comment #20
Dave Reid#313213: Fix broken localization for permission names
Comment #21
agentrickardRevised patch. I believe the test case is ok, but a testing ninja should take a look.
Automated testing passes -- http://testing.drupal.org/node/15172
Comment #22
moshe weitzman CreditAttribution: moshe weitzman commentedKen's change looks good, the node.test looks proper, and runs without failures. RTBC.
Comment #23
webchickAwesome. :) Thanks!!
Please mention this in the upgrade docs.
Comment #24
XanoThe 'Create content' menu item no longer appears in the menu and as user 1 I have no longer access to /node/add.
//edit: Never mind, I didn't know the Content Types page was moved to Site building :P
Comment #25
agentrickardI put a comment here, but am not on the docs team:
http://drupal.org/node/224333#comment-1055014
Comment #26
webchickConsider that another bug fixed. ;) You are now! ;)
Comment #27
Crell CreditAttribution: Crell commentedSilly agentrickard. Never tell someone on the docs team that you aren't on it. :-)
Comment #28
gpk CreditAttribution: gpk commented@26/7: LOL
I turned the comment into an entry: http://drupal.org/node/224333#bypass_node_access. Worth a quick look by s.o. to make sure I understood it correctly...
Comment #29
agentrickardYes, you did. Thanks all!
Comment #30
Anonymous (not verified) CreditAttribution: Anonymous commentedAutomatically closed -- issue fixed for two weeks with no activity.
Comment #31
geerlingguy CreditAttribution: geerlingguy commentedUrgh... any chance of a backport to D6? This would be great for allowing users to create new revisions on access-controlled nodes without having access to any node on the site...