This potential mistake makes all work with some content access control (like the Content Access Module that I'm using) useless... Instead of consulting the Drupal access control, it should be based on the {node_access} table, calling the function node_access() to test if a user may delete the node created by him/herself or not.

The one that I discovered (may the module have more testing against Drupal access control?) happens when a user is in the cart and chooses to remove one product (that means, delete the associated node) from it. I had selected in Drupal AC to let the user being able to create the nodes, but not edit them (and in Drupal AC that means edit AND delete), so in the Content Access module I could fine-grain this access (the user may delete node, but not edit).

Comments

rszrama’s picture

rszrama commented

So, I'm not sure this is a huge issue, because you don't necessarily want a bunch of unfinished nodes laying around cluttering up the space. There's actually a setting you can uncheck so that nodes don't get deleted... but if I make it based on node_access(), anonymous users who create nodes for checkout will never be able to delete their nodes. You don't want to give anonymous users "delete own node_x" because then they could all delete each other's nodes. : P

So... I'm going to mark this postponed for now... I think the settings are confusing enough as is, so I'm not sure I want to accommodate this option. However, I will say that a small module implementing hook_form_alter() could remove the submit handler from the cart view form that does this and replace it with a copy of the function that has been modified to use node_access().

rszrama’s picture

rszrama commented
Category: bug » feature
Status: Active » Postponed
rszrama’s picture

rszrama commented
Version: 5.x-1.x-dev » 6.x-2.x-dev