So I was looking through node.module and saw:

    // Don't show node options because the user doesn't have admin access.
    $form['status']   = array('#type' => 'value', '#value' => $node->status);
    $form['moderate'] = array('#type' => 'value', '#value' => $node->moderate);
    $form['promote']  = array('#type' => 'value', '#value' => $node->promote);
    $form['sticky']   = array('#type' => 'value', '#value' => $node->sticky);
    $form['revision'] = array('#type' => 'value', '#value' => $node->revision);

Now this is either a major problem or a minor problem

1) If these form elements are honored anywhere, then non-privileged users can change any of them at will by twiddling with POST parameters

2) If these form elements are NOT honored anywhere, then this is dead code, and should be removed.

Comments

Steve Dondley’s picture

Steve Dondley commented
Priority: Critical » Minor

These are fields are of type 'values' and so cannot be fiddle with by the user. I can't speak to your concern about cruft. Downgrading to minor.

chx’s picture

chx commented
Status: Active » Closed (works as designed)

On the other hand, I *can* speak about your concerns about cruft. During form build, these will go to form_values and even later it'll become the node you update/insert and then you will need these.