Requires "Edit Any" Permission
johnthomas00 - June 11, 2009 - 15:53
| Project: | editablefields |
| Version: | 6.x-1.2 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
First, thank you for the great module.
I am using lasted and greatest released and non-beta modules for Drupal 6.
Editable fields works as expected if the user has "edit any" permission, but does not work at all if the user does not.
I am granting the user permission with nodeaccess_userreference-6.x-2.1.tar.gz and other than editablefields, everything works great.
This could certainly be my mistake somewhere. I am happy to troubleshoot.
#1
Any update on this?
Shouldn't editablefields have its own permission system?
#2
I can confirm this. My site shows a views block with editable fields, with the "user=current user" filter, so it shows only the users own profile node. The editable fields don't show up at all when the user doesn't have the "edit any" permission.
#3
the code resposible seems to be this:
if (!node_access('update',$node) || !content_access('edit', $field)) {This doesn't seem to work when the editable field is inside a view.
I could remove the whole access check section for my site, because is checked elsewhere. but that's not a solution of course.
#4
+1
Even though the user has "edit own XYZ content" permission, the editable fields do not show up in the resulting view. When the user is granted "edit any XYZ content" permission, all of the editable fields show up. This is using 6.x-1.2.
#5
I have a more improtant issue:
- I want to allow users to edit fields with editablefields on node view
- I do NOT want users to EDIT the actual node
For this, editablefields really needs its own permission system. E.g. Authenticated users may edit fields, whilst they may not edit the node (node/12/edit)
#6
SOLVED: In order to override content access permissions (such as 'edit any'), do this:
EDIT editablefields.module
ADD somewhere (e.g. at the top):
/*** Implementation of hook_perm().
*/
function editablefields_perm() {
return array('edit all editablefields');
}
FIND:
if (!node_access('update',$node) || !content_access('edit', $field)) {CHANGE TO:
if ((!node_access('update',$node) || !content_access('edit', $field)) && !user_access('edit all editablefields')) {FIND in function editablefields_html():
if (node_access('update', $node)) {CHANGE TO:
if (node_access('update', $node) || user_access('edit all editablefields')) {FIND in function editablefields_submit():
if (node_access('update', $node)) {CHANGE TO:
if (node_access('update', $node) || user_access('edit all editablefields')) {And then go to user permission, and select which roles should have "edit all editablefields".
Thank you,
#7
Thanks mxistence
Its a great solution for user permission
But in my case,
I have a profile field in a view. Like First Name, Last Name etc. These are all created from CCK under content type of profile. And these fields are editable in view.
The problem is, if i use your (above) changes, or i allow edit any profile content, then any user can edit anyones first name and last name fields.
I just want to permit a user to view only other user's profile and edit its own profile content.
I hope you understande what i am trying to say. You can ask question if there is some problem.
Sorry for the stupid question, but i am newbi in drupal development.
Any help will be greatly appriciated.
#8
Yuppi... :)
I just resolve the issue I described above
Thanks to "mxistence" who show me the way :D
What I did is, i didn't impliment any hook. I just do the following steps:
FIND:
if (!node_access('update',$node) || !content_access('edit', $field)) {CHANGE TO:
if ((!node_access('update',$node) || !content_access('edit', $field)) && (!user_access('edit own profile content', $account) && ($account->uid == $node->uid))) {FIND in function editablefields_html():
if (node_access('update', $node)) {CHANGE TO:
if (node_access('update', $node) || (!user_access('edit own profile content', $account) && ($account->uid == $node->uid))) {FIND in function editablefields_submit():
de_access('update', $node)) {CHANGE TO:
if (node_access('update', $node) || (!user_access('edit own profile content', $account) && ($account->uid == $node->uid))) {Now these line will check that, is this the right user on his own profile page to edit it? then it will allow him to edit the profile fields.
I hope this solution will help anyone...
BUT
I face problem after doing this. when i go to any other user's profile page to view his profile, application show the that much alert boxes that much fields are on page.
What i did to resolve it is, just comment the line ~53 in module/editablefields/editablefields.js which is looks like
alert(Drupal.t("An error occurred at ") + url);But this is not the solution... :P
any one can help me to resolve this issue.
#9
Hi,
I have a clean fix.
For editablefields 6.x-1.2, in the file editablefields.module, in the function theme_editablefields_formatter_editable(), change line 73 from:
$node = $element['#node'];to
$node = node_load($element['#node']->nid);The bug was that $node wasn't actually a node object. Hence, the subsequent node_access() call was failing because it was getting garbage.
#10
For those who are using editablefields 6.x-2.x, the relevant line number is line 79.
Or else you can apply the patch from comment #1 of #578678: Replace ajax loads with inline html widgets. Improve load time by 90%+.
#11
The suggested fix from comment #9 has been committed to cvs and will be incorporated into the next release of editablefields.module.
Until that time, you can patch your own site by following the directions in comment #9. Thank you.
#12
+1 waiting for the next release of this module including the permission fix.
#13
Automatically closed -- issue fixed for 2 weeks with no activity.