There is an inconsistency with required fields and permissions.

Create content type 'foo', which has a required field 'field_bar' (using nodereference field here, not sure if that matters)

Configure 'authenticated user' permissions as follows:
can create 'foo' content

When an authenticated user visits node/add/foo to create new content of type foo the form will not have the field 'field_bar' since the user doesnt have permissions to view or edit this field. In other words, the _required_ field 'field_bar' will not be visible and cannot be filled, hence the user should not be able to create the content. However, the system allows the user to create the content without any errors by simply filling in the _visible_ required information, such as the title.

If you log in as the administrator and view the created content, it will have the fields blank, which is inconsistent with the data model you defined since the fields MUST be specified for the content to be valid.

The solution is to give edit permission but not create to the role, but the configuration I present here is possible (by misconfiguration or misunderstanding) and is inconsistent.

Thanks. =)

Comments

nick.dap’s picture

nick.dap commented

To elaborate on the solution, the user who has the create permissions for content type 'foo' must have edit and view permissions to all required fields of content type 'foo'

nick.dap’s picture

nick.dap commented

Clarification, make sure that the field doesn't have a default value. In case of nodereference use autocomplete widget.

markus_petrux’s picture

markus_petrux commented

Actually, required is a field attribute that is passed to Forms API, but it should probably be enforced during nodeapi('validate') too. However, I do not think this is going to be addressed for D6 because changing this behavior will affect a lot of sites.

Workaround is easy: users that are allowed to create a node type should also be granted access to edit required fields.

nick.dap’s picture

nick.dap commented
Status: Active » Closed (won't fix)

I agree. Just wanted to make sure that the issue (and the workaround) is known.