I've got protected node working for a content type (i e when i try to view a protected node it asks the anonymous user for the password). However, the user can access node/xx/edit directly without giving any password, which is not good at all.

To not get an "access denied" when going to a protected node path, i need to grant "administer nodes" for anonymous users, but this also gives them access to node/xx/edit. This is what I've found out so far. I've fiddled around for ages without finding a solution. Anyone know what I might be doing wrong?

Comments

mtolmacs’s picture

mtolmacs commented

But protected_node module does not interfere with the node module's permissions so unless you enable those groups you mention to edit nodes I pretty much can't see how they can end up editing those nodes.

mtolmacs’s picture

mtolmacs commented
Status: Active » Closed (won't fix)

I assume that this was a false positive. Please reopen if you can reproduce this issue and/or have more information.

sittard’s picture

sittard commented
Status: Closed (won't fix) » Active

I also needed to protect 'node/edits' from people with the same role. My solution was to create a custom module with the following code.

I'm using D6 and Protected Node 6.x-1.5.

  /**
 * Implementation of hook_nodeapi().
 * @link http://api.drupal.org/api/function/hook_nodeapi/6
 */
function my_module_name_protected_node_nodeapi(&$node, $op, $arg = 0, $page = 0) {
  global $user;
  
  switch ($op) {
    case 'prepare' :
      if ($node->is_protected && !user_access('bypass password protection')) {
        // If we have been accessed from cron.php (f.e. search indexing)
        if (variable_get( 'cron_semaphore', FALSE )) {
          $node->title = '';
          $node->teaser = '';
          $node->body = '';
          $node->content = array();
        }
        else {
          if (!$user->uid && variable_get( 'cache', 0 )) {
            $GLOBALS['conf']['cache'] = FALSE;
          }

          if ($node->uid !== $user->uid) {
            // If node is protected and not teaser nor page view and not owner of node
            if (!isset( $_SESSION['_protected_node']['passwords'][$node->nid] )) {
              if (!$arg) {
                $_SESSION['_protected_node']['current'] = $node->nid;
                $destination = drupal_get_destination();
                drupal_goto( 'protected-node', $destination );
              }
              else {
                $node->teaser = '';
                $node->body = '';
                $node->content = array();
              }
            }
          }
        }
      }
      break;
  }
}

Perhaps this functionality could be added to the module?

Thanks.

mtolmacs’s picture

mtolmacs commented
Version: 5.x-1.3 » 6.x-1.5
Component: Documentation » Code
Assigned: Unassigned » mtolmacs

We'll see how this can be solved.

AlexisWilke’s picture

AlexisWilke commented
Assigned: mtolmacs » AlexisWilke
Status: Active » Fixed

This is fixed. The behavior of the module is the same, but the way it is done is now correct and anything under the node/#/* path is protected.

Thank you.
Alexis

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.