CMF and access management

Hi Pascal!

If a role (for instance authentificated user) is granted the "view user content list" right, the Content Tab doesn't display on the My account page of any user of that role.

Shouldn't the user be able to access the tab and list, access and edit his own nodes ?

Indeed it can be a good idea for a future implementation. But a similar feature already exists on the core.
But I will think about it.

On the other hand, if any role is granted the "filter and manage site content", any user of that role can :

- display the Content Tab on his My account page
- list, access and edit his own nodes
- list all nodes he is NOT granted to access or edit - (though he can't access or edit them)

What would you propose to improve this?

Tank you for your feedback!

BTW I didn't figured out why you said hello to Chris, there isn't any over here :-)

I agree, what's great about this module is that it breaks from the "administer nodes" permission issue and allows none-administrators to manage content when they have the appropriate permissions to do so.

However, the user shouldn't see nodes unless that user has permission to edit... or there should be an additional field that shows whether the user can edit or not.

Currently, the only way a user can know which content items they can edit is to click the item, which brings them to the "you dont have permission to do that" message.

I fixed this issue kind of on the fly, if someone wants to create a patch, by all means. Below is the code that replaces the while loop on and around line 55 of node.inc. What it does is adds a conditional that first displays all node content if the user's role has the permission to administer nodes, since that overwrites any specific permissions assigned to individual nodes. Then in the else statement, within the while loop it creates a variable that is defined as "edit any $node->type content". So then it uses this variable in a conditional where if the user has permission to edit a node, then build the table with only the permissible nodes...

if (user_access('administer nodes')) {
  while ($node = db_fetch_object($result)) {
    $nodes[$node->nid] = '';
    $form['title'][$node->nid] = array('#value' => l($node->title, 'node/'. $node->nid) .' '.
      theme('mark', node_mark($node->nid, $node->changed)));
    $form['kind'][$node->nid] = array('#value' => _cmf_get_img('node', t('node')));
    $form['type'][$node->nid] =  array('#value' => check_plain(node_get_types('name', $node)));
if (!(arg(0) == 'user' && is_numeric(arg(1)) && arg(1) > 0)) {
      $form['username'][$node->nid] = array('#value' => theme('cmf_user', $node->uid));
    }
    $form['status'][$node->nid] =  array('#value' =>  ($node->status ? t('published') : 
      t('not published')));
    $form['created'][$node->nid] = array('#value' => format_date($node->created, 'small'));
    if (user_access('filter and manage site content'))
{
	$form['operations'][$node->nid] = array('#value' => l(_cmf_get_img('edit', t('edit')) .' '. t('edit'), 'node/'. $node->nid .'/edit', array('html' => TRUE)));
}
}
}
else
{
while ($node = db_fetch_object($result))
{
$permType = "edit any ". $node->type ." content";
if(user_access($permType)) {
	  $nodes[$node->nid] = '';
    $form['title'][$node->nid] = array('#value' => l($node->title, 'node/'. $node->nid) .' '.
      theme('mark', node_mark($node->nid, $node->changed)));
    $form['kind'][$node->nid] = array('#value' => _cmf_get_img('node', t('node')));
    $form['type'][$node->nid] =  array('#value' => check_plain(node_get_types('name', $node)));
    if (!(arg(0) == 'user' && is_numeric(arg(1)) && arg(1) > 0)) {
      $form['username'][$node->nid] = array('#value' => theme('cmf_user', $node->uid));
    }
    $form['status'][$node->nid] =  array('#value' =>  ($node->status ? t('published') : 
      t('not published')));
    $form['created'][$node->nid] = array('#value' => format_date($node->created, 'small'));
    if (user_access('filter and manage site content')) {
      $form['operations'][$node->nid] = array('#value' => l(_cmf_get_img('edit', t('edit')) .' '. 
        t('edit'), 'node/'. $node->nid .'/edit', array('html' => TRUE)));
    }
  }
  }
  }

Hope this helps.

halcyonandon, thank you for your collaboration. This is a good solution for the access management. I will try to add this feature in a next stable version of CMF, but I would prefer a DB oriented solution, i.e., a query that does not load all nodes that won't be displayed.

Great job!

For sites where this is relevant, it is important that users does not see titles (or even get to know of their mere existence) of posts they are not allowed access to.

Did anyone get this to work in Drupal 5? This is exactly the functionality I am looking for. I tried replacing the "while loop" at line 43 of node.inc for the Drupal 5 version: node.inc,v 1.1.2.2 2008/12/03 (the closest one I could find to what is described in post #4). Now the user CMF page returns zero nodes for my user. I'm not sure if I put this in the wrong place or if this needs some changing to work in Drupal 5. If someone can suggest how to do this in Drupal 5, I could possibly role a patch for node.inc. Thanks for the great module!

Thanks nunoveloso18,

Noticed something else... certain permissions don't fit the "edit any $node->type content" syntax, so keep that in mind if you're doing this...

I had to use if (user_access($permType) || user_access('edit any blog entry') || user_access('edit announcements')) instead of if(user_access($permType))

So, this isn't the most elegant solution, especially if you're using a number of custom modules with unique permission names that need to be considered in this.

I would also like to see the "node type" and "category filters" respect the access rights for the user's role. If so, the user specific CMF becomes much more user friendly. Why make the user sift through categories and node types that he or she can't touch? Thanks again for the great module!

I think we need to see if there is any value in using node_access().

See also #485744: Users able to publish any content regardless of permissons via CMF's 'Update Options'. for an additional symptom.

I agree with #8.

When for instance you want someone to edit only the publish/unpublish option, but they can't edit the node type.
The node types will not show up on the list.
I think it's better to use the conditional to toggle the edit link in the table, and additionaly a filter could then let the user choose wether or not they want the non-editable nodes listed.

p.s. you know, a great feat, would be a joint venture between the cmf and node override module.

@KoCo: You are probably right, but the two, as I understand it, operate at different times. But it is worth looking into. Please open a new feature request for both modules.

See also #379366: Publish Settings, a permission?.

Looking at a database solution, the first problem is that we would have to know if they actually intend to update, because the access privilege depends on that. What I am thinking right now is that we can query the db for any nodes that the user has "view" access for and then we would have to further check for "update" before adding the "edit" link. I'm not crazy about all that extra overhead, so I am open to suggestions.

Since we have not found a good database solution here, I'm going to mark this as "won't fix." I revisit that status on occasion to see if I've changed my mind.

As the node access permissions are key to how my users are able to edit content on my site, this feature is important if I'm ever going to use CMF. Could you review the possibility of this feature again, as some time has passed? Thank you.