I was poking around in the documentation, but didn't see a direct answer to this question. How do I go about preventing users from posting to other people's acidfree albums? In a perfect world, I'd like people to be able to post *only* their own photo albums (and possibly to the groups they belong to), but *not* to other people's groups.

Is there some aspect of node access that I'm missing?

Currently, authenticated users have the following rights within Acidfree:

create acidfree albums
create acidfree photos
create acidfree videos
edit own acidfree elements

Within organic groups, they can:

administer organic groups
create groups

Comments

vhmauery’s picture

vhmauery commented
Status: Active » Closed (duplicate)

Currently this is a security problem that I haven't found an acceptable solution to. Since posting to an album (or updating the parent album) is not _really_ updating the parent album, simply using a node_access solution doesn't work.

This is really a duplicate of bug http://drupal.org/node/34372 so go ahead and follow that bug for when this gets fixed. I have a big nasty patch I am working on right now that should hopefully fix this, but it is still a work in progress.