Create permission not working
com2 - January 13, 2009 - 14:09
| Project: | Taxonomy Access Control |
| Version: | 6.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
Description
Try to restrict a role that it can only create new content with some terms but all terms are still listed in the form. Could this be related to an upgrade to D6.8, because before I could do this correctly
#1
subscribe
#2
Now I tried to do this with a clean install. What I did:
Created test user with a test role. Created a vocabulary and some terms. One term was added in Taxonomy Access allowing to View, Update, Delete, Create and List:
1. The test user could edit and delete nodes of that term.
2. A bug was noticed that you can update a node to all terms while it should only show terms that are permitted for the role.
3. Users can only create new nodes after giving core permission to do so. Why is that only for Creating? Updating and deleting can be done without setting any core permissions! Beside the lack of documentation on this behaviour I consider this an inconsistency bug.
4. When the former behaviour is by design, then I have to add another bug. When creating a new node all terms are listed, even though the role does not have Create access for them.
#3
#4
I concur with the above but add that the problem is even worse than described.
I created a View to display a list of Node:Title together with the fields Node:Link (view), Node:Edit link and Node:Delete links.
When as an admin I UNtick a role's permission to Edit content of a particular type (via the node module access section of the Permissions page), I can subsequently control (via User Mgmt-->Taxonomy Access Permissions) the absence/presence of these links for the selected Taxonomy terms. So far, so great.
However logging in as a normal user (in the relevant role) and clicking on the edit or delete links produces the error "You are not authorized to access this page".
When I then grant (ie tick on the node module access section) the permission to Edit, the edit link appears for *all* content of that type regardless of the value of the Taxonomy term.
In other words it seems that Permissions granted in the node access section override whatever is set under Taxonomy Access Permissions, but when the node module access section is left blank, the Taxonomy Access Permissions only work in appearance, not in functionality.
#5
This page describes what's going on.
#6
Thanks for a really useful module, and I've had either this or a previous version working some time ago. But for the life of me, I can't get it working now. It just refuses to override Drupal's standard Permissions. I've tried uninstalling and reinstalling the module, rebuilding permissions, deleting and re-adding roles, etc, but it just doesn't do it.
If I give a certain role rights (via Drupal Permissions) to create a node type, users with that role can create a node with any taxonomy term, no matter how I restrict them with the TAC settings. And if I don't give that role permission to create that node type, users with that role are refused permission to access the create node form, no matter what I do with the TAC setting.
Either I'm overlooking something obvious (definitely possible) or this TAC 6.x-1.x-dev version is broken on Drupal 6.10. If it's the latter, can someone let me know, so I can give up and wait for the new version?
But if it's not broken, does anyone have any idea what I might be doing wrong?
Thanks.
#7
I believe the first issue (terms displayed in list when they shouldn't be) may be solved by checking your settings for the anonymous and authenticated user roles. It looks like the default for those roles is to have the Create option checked. Uncheck that and see if that fixes the problem. Worked for me.
I'm going to adjust the .install file to not check the Create box by default for either anonymous or authenticated users. Let me know if you can think of any reason this would be a bad idea.
As for the other problem with not being able to get to the node/add form without the node.module relevant create permission, I'll look into that.
#8
http://drupal.org/cvs?commit=211858
#9
I went through and checked our anonymous and authenticated permissions as you outlined in #7 above. Unchecking the "Create" option for these two roles did the trick. Our taxonomy selects are not limited properly and they update as promised. Thanks!
Not sure I've encountered the other issue, so I can't comment there.
#10
Perhaps I misunderstood something, but I feel the issue here is a deeper one.
I checked permissions as per #7 above, but I still get 'Add child page' only when I enable the role to create content.
How can the module control the 'create' permission on a node that does not exist yet ?
From where is the taxonomy term coming from to even check the permissions ?