Nodeaccess: Strange behavior about anonymous content management

At admin -> user management -> access control, under the section "node module", how are the "edit own xxxx content" permissions set for the role "anonymous"?

The edit own xxxx content permissions are ALL set to false.

What happens if you disable all contrib modules? And perhaps optional core modules? And maybe clear (for now) all "edit own xxxx content" and "edit xxxx content" permissions. I can't reproduce the problem.

I found problem is in Nodeaccess module, in whitch I can't exclude edit permission to anonymous user if, for the same module, the author has permission to edit content of a specific node type.

For example, if the anonymous user can only view a specific content but author can also edit id, in Nodeaccess I see something like this:

I need to do this because I want that every user can edit only his own content and anoymous user can't create or edit anything on the site. But, so I can't deny anonymous user to change his own content.

Moving permission from author to other users isn't a solution because they will grant permission to edit content made by others.

It would be better if Nodeaccess module get author permissions and, after that, overwrite default role permissions for the node type denying thoese are not set. In my example on the above, anonymous user should only view his content even if he is the author.

Can I do this?

Thanks.

Do you need to use nodeaccess for the nodes in question? If you just use the standard roles/permissioning system then it should work the way you want...?

I just got bit by this one as well, or something very similar.

I wasn't actually using nodeaccess for anything yet, just had it installed and enabled, but hadn't touched the settings.

Seems that Drupal's default behaviour with a piece of content is to make the author anonymous if the author field is left blank. The author field was left blank after an edit, and immediately the content became editable by anyone visiting the site.

It's a dangerous default to give the author full permissions since it is so easy to make the author anonymous, or have a bunch of anonymous authored content lying around when you first enable the module.

Just to be sure, tested this out with a clean install of nodeaccess on a test site without any settings changed, and content with an empty author is immediately editable by anyone visiting the site.

Thanks, mrf.

I can definetively say that the possible solutions are two:

1. add in Nodeaccess "deny edit" and "deny delete" properties with an higher priority then other properies (even on the anonymous user);
2. don't allow the Author Settings for "Node author" properties on anonymous users.

The issue here is that "edit own" permissions aren't being taken into consideration. You can verify this also by giving view/edit/delete permissions to a role (authenticated users) for example and take away all "edit any" and "edit own" permissions to the roles. You will see that you'll still have the access granted by nodeaccess.

1. add in Nodeaccess "deny edit" and "deny delete" properties with an higher priority then other properies (even on the anonymous user);

Due to how hook_node_grants is implemented, this isn't a possibility.

2. don't allow the Author Settings for "Node author" properties on anonymous users.

This may be a solution, but I think some people might want this still. Maybe a configuration option for this is the better way to go.

I think a better solution would be to implement checks for edit own, edit any, delete own, and delete any in nodeaccess_access.

Any fix for this? This is a big, big security vulnerability--for example, by default, a user's nodes are assigned to Anonymous when a user is deleted. With this bug in nodeaccess, it results in anyone having author-level access to the nodes.

There's no reason for the anonymous user to be treated like other users. It's not actually a user, it's just a placeholder for no user.

grant view permission to a node not working using nodeaccess untill we enable the following permission at admin -> user management -> access control, under the section "node module",
is there any solution to solve this issue ?

zohera: sounds like a separate issue, so I'd suggest creating a separate issue for it.

About my solution:

don't allow the Author Settings for "Node author" properties on anonymous users.

andyl56 says:

This may be a solution, but I think some people might want this still... Maybe a configuration option for this is the better way to go.

Yes, I think this is the simpliest solution to a very big problem. Do we go?

Subscribing.