Currently a user that does not have 'update' access to a node cannot add children to it even if this user has all the node hierarchy permissions set to allow (eg 'administer hierarchy', 'create child nodes', etc). This doesn't seem right to me: i should be able to add a child to a node even if i don't have update permissions to the node i'm adding this child to.
Example: implementing a simple project - task functionality: create a project and let people add tasks/issues to it. Only you can edit/update that project but anyone can add tasks to it. Currently you cannot do this with NH and it is a pity.

The problem comes from _nodehierarchy_get_parent_pulldown_items function which calls node_access('update', $hierarchylist):
if ($hierarchylist->nid != $child_node && node_access('update', $hierarchylist)) .
One solution would be to provide a per node type the ability to select which roles could add children to those nodetype nodes. This would be simple to implement.

I would be very happy to provide a patch for this if there is any interest in this functionality.
Also suggestions are welcomed.

Comments

andreiashu’s picture

andreiashu commented
Title: 'update children list' like permission » Provide roles per node-type 'add children' permission

Updated title to a slightly better version

geoffberger’s picture

geoffberger commented

I for one would like to see this functionality. I've been looking for a solution similar to this for quite some time.

Let me know if you'll need any assistance or help testing.

jjalocha’s picture

jjalocha commented

I definitely need this feature, too. A user that has no editing rights on a node should be able to attach children to it. There are quite a lot of modules available, that deal with node relationships, but none (as far as I see) that allow a non-author to link nodes on Drupal 6:

The Rules module could be the solution to this problem, but as far as I know, only CCK from the list above provides integration with Rules.

ronan’s picture

ronan commented

This module was written that way so that I could integrate with node access modules. By limiting update access to a node, you can lock off entire sub trees of a site. I was never really happy with using 'update node' perms for this but it was really the only way to work with node access.

As long as your patch does not interfere with the current behavior by default (ie: being able to add children to a node without update perms is opt-in) then I'll be happy to commit it.

Thanks
Ronan

Fa-sum’s picture

Fa-sum commented
Version: 6.x-1.x-dev » 6.x-2.x-dev

Are there news about this?
I would really like to have the possibility to let users chose a parent without having rights to edit it.

Thanks in advance.

markhalliwell’s picture

markhalliwell
Primary language English
commented
Component: Code » Drupal/PHP Code

Copy & Pasted: This issue is over one year old. If this issue is not applicable anymore, please consider closing it. Otherwise, please update this issue appropriately.