Ask question needs create FAQ permission
birwel - September 17, 2009 - 18:47
| Project: | FAQ_Ask |
| Version: | 6.x-2.0-alpha1 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description
As I said, when I try to ask a question from a user owning 'ask question' permission, I obtain permission denied.
The only way to be able to do it is granting the 'create faq' permission to users... bu I don't want users to be able to create FAQ contents...
Is this the only way to create questions ? Is it a bug?
#1
This is a regression from the stable version. I just upgraded to mitigate a serious security hole. It seems that there's another one now :(
#2
ping
#3
What was the regression? AFAIK, this is the way it has always worked. Security patches are coming out soon.
#4
NancyDru, what more information do you need?
#5
Perhaps I'm mistaken, but as I recall, I had my site set up so anonymous users could *ask* a question without creating a FAQ. Or perhaps they did create the FAQ but couldn't answer it at the same time?
#6
This module has always created an unpublished FAQ node. Asking and answering are controlled by the permissions.
#7
hmm. Yes, I see now. If you follow the Ask link, part of the form is hidden. But if you click on the Create>Faq link, you get the whole form. It also shows up in the menu, even if Create Content is normally hidden to anons.
At the very least, this is very confusing to a newb. Do you have any ideas on how to make this better?
#8
Yes, the asker should not see the answer field because it hasn't been answered yet.
My first suggestion is that you try the current 6.x-2.x-dev version. I am going to be out of touch for several days at least.
#9
subscribe
#10
ideas how to make this better: Make the "ask question" a separate item in hook_menu, with a separate page callback and separate access control. The callback can then simply clone and modify the original faq node creation form.
You can even do that in a custom module, if you don't want to wait for a new faq_ask version.
#11
The bugs here are:
a. Users with "ask a question" but not "answer a question" can nonetheless both ask and answer questions (by following the link node/add/faq).
b. Users with "answer a question" but not "ask a question" permission can both ask and answer questions.
I think the expected behaviour is:
* A user with "ask a question" but not "answer a question", can submit questions but not answer either own or others' questions.
* A user with "answer a question" but not "ask a question" permission cannot either create or edit a question but can answer others' questions.
A basic problem is that Drupal's permission system is additive. One permission should not cancel out another permission that a given role has. Assigning "answer questions" to a user should not take away "create faq" from that user.
Proposed approach:
* Eliminate "answer question" permission. Instead, use "edit faq" to test for the ability to edit (answer) others' questions.
* Drop the ask=true path argument.
* Eliminate "ask question" permission. Instead introduce "answer own questions" permission. Users without this permission don't get the body field.
#12
Here we go, a patch.
Effects:
- the form now appears in the url path "faq_ask", no more redirects.
- faq_ask needs "ask question" permission, no "create faq" or "create node" required.
- undesired fields and fieldsets are stripped from the faq_ask form, even for the admin.
- on any faq related form, users need "answer question" permission to see all fields.
- users with "ask faq" and "edit own faq" permission can edit their questions, but the rest of the edit form is stripped, unless they have permission to "answer questions".
Still missing:
- Prevent people with "edit own faq" permission from editing a question after it has been answered. The "answerer" could do that by changing the author, but it would be more elegant to have a dedicated mechanic for that.
#13
My patch goes a different way, but maybe your proposal is not so bad after all.
With my patch, the "create faq" permission doesn't make much of a difference, except that you can't visit node/add/faq. If you have "create faq" permission, but not "answer question", then node/add/faq will look the same as faq_ask, so, not a big difference.
Maybe the "create faq" should allow to create complete faq nodes, and the only thing where you need "answer question" would be if you want to edit the "body" field of someone else's question..