Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.I am using Drupal 6.9 and workflow module 6.x-1.1. I have enabled workflow and workflow access (comes with workflow package and controls content access based on workflows and roles, depends on : workflow module) both modules. I have two roles "admin" and "story writer" on my site. "admin" can do anything and "story writer" can only "write" stories and "edit" his own stories. I have configured workflow permission as follows-
1. access workflow summary views : "admin"
2. administer workflow : "admin"
3. schedule workflow transitions : "admin"
But "Navigation menu" has a link to "Workflow summary" which is accessible to all eventhough i have configured "access workflow summary views : "admin" ". Is this a bug or default behaviour?
I expect this "workflow summary" menu should not be visible to anonymous users.
But if i click an "story item" as an anonymous user then it works correctly and redirects to access denied/user login page.
Comments
Comment #1
aac commentedComment #2
nrackleff commentedSubscribing.
Comment #3
itaine commentedJust discovered this issue as well.
Subscribing
Comment #4
itaine commentedPoked around and discovered this really isn't a workflow module issue. I can think of three ways to resolve this:
1. Delete the workflow_summary and workflow_pending views all together and install the Grants Module which gives you a more detailed listing via a "my content" link.
2. Disable the "access all views" permission for all but admin and control views access permissions at the views level. Edit view workflow_summary and workflow_pending views click on "basic settings > access" and change from permission to role, click update and then set the role, and hit save. That will do it, but now you have to control access to all views at the view level as opposed to the blanket setting in your /admin/user/permissions panel.
3. this one I haven't tried yet but my guess is we could use one of the many node access modules out there and block it at the page/paths level as a whole and not just the view.
Comment #5
Peel commentedI too found this problem, and as a workaround I disabled the Workflow summary menu from the Navigation menu and added it to the Development menu which only the Admin can see (part of devel module). Would be nice to have a real solution for this though.
I only noticed the problem because I had an anonymous user try to purchase something on my store, when my store isn't viewable yet but the product was accessible from the Workflow Summary menu!
Comment #6
jimbox commentedsubscribing...
prior to noticing the problem i never had the Navigation block available to anonymous users. then i recently added the revisioning module and module grants (as part of revisioning). somewhere thereafter i noticed Workflow being in among the links in the Nav block.
didnt workflow take control of access control via it's own config and it's own permissions settings? i believe revisioning supercedes these perms with it's own publishing mechanism non-dependent on the Published box being checked for a node (which workflow *did* depend on).
from a development perspective- the Workflow Summary View should have absolute access control to itself based on it's own permissions- and not dependent on any other modules and or their permissions.
Comment #7
bokswagen commentedI encountered the same problem. I tried to limit access from the views page at /views/edit/workflow_summary as role:Administrator but no luck. It still shows up even as an anonymous user.
I found a workaround until we figure out the permission access for the workflow summary page. I'm using the http://drupal.org/project/menu_per_role .
It adds a restriction access for each menu.
Comment #8
Toktik commentedThe problem that you enable the access all views permission. Disable it!
Comment #10
arcall commentedI have found this guy who wrote a patch based on permission ! Work perfecty for me http://drupal.org/node/785194