Why does permission 'administer nodes' get to 'edit composite layouts'

//line231 + line261
 ((user_access('edit composite layouts') || user_access('administer nodes'))

Layout is something more involved than administering node content and permissions should be given separately for each one

Even if people don't agree with that, right now you can't give someone "administer nodes" without allowing them to "edit the layouts" and this is not always desirable or if you ask me it is almost never desirable

If we get rid of the "administer nodes" from the code of the module each permission will be responsible for exactly what it oughts to .. and module still works as it should ... is there any reason for allowing such behaviour ??

here is the simple patch for this, it has been tested and works as it should but still needs review

CommentFileSizeAuthor
#7 601770_composite_perm_admin_nodes_can_edit_layouts.patch1.97 KBgiorgosk
composite_get_rid_administer_nodes.patch1.05 KBgiorgosk

Comments

bengtan’s picture

bengtan commented

Hi,

I'm just following the Drupal convention, which is that anyone with 'administer nodes' permission is allowed to do anything to any node. If you look inside node_access() in node.module, you will see this to be the case.

giorgosk’s picture

giorgosk
Location Chios, Greece 🇬🇷
commented

I understand you want to follow convention but your approach needs a little rethinking

1. Why can't you think of it like the "administer taxonomy" permission. Taxonomy module allows you to modify vocabularies and terms only with "administer taxonomy" permission. "administer nodes" does not suffice and it only lets you PICK a term for your node. In that fashion the "administer nodes" should only allow you to PICK a layout (something like picking "Default layout set" in the edit screen of content type) and not really modify any of the existing layouts which could affect potentially the WHOLE site.

1b. And that is similar to how the menu module works. "administer nodes" does not allow you to modify menus as a whole, only to add new items to them. You need "administer menu for that.

2. its misleading to have "edit the layouts" permission since "administer nodes" does the same thing.

3. your module does not allow an admin to let an editor moderate nodes ("administer nodes") but not modify their layouts (which is a VERY valid use case). You might argue that you can give the editor "edit, create, delete" permission on all the content types and deny "administer nodes" but that would not allow him to access "admin/content/node" and thus do any productive work.

my 2c

bengtan’s picture

bengtan commented

> ... Taxonomy module allows you to modify vocabularies and terms
> only with "administer taxonomy" permission ... And that is similar to
> how the menu module works.

Nodes are separate from taxonomy and nodes are separate from menus. To the extent there there is an overlap between nodes and taxonomy, and between nodes and menus, 'administer nodes' permission allows a user to edit the 'overlap'. I agree with this.

However, where I don't agree is that I consider composite layout to be part of a node. Then:

A. A site administrator with 'administer nodes' should be able to change any part of a node.

B. Composite Layout is part of a node.

C. Hence, a site administrator with 'administer nodes' should be able to change the composite layout settings of a node ie. A + B => C.

Given that these are differences of opinion, there is no absolute right or absolute wrong, and we could argue both our respective positions forever. So ...

> 3. your module does not allow an admin to let an editor moderate nodes
> ("administer nodes") but not modify their layouts (which is a VERY valid use case)

Here's a potential compromise:

Did you know it's possible to write a custom module that changes Composite Layout's behaviour to be what you want? It's just a couple of snippets of code to poke some data structures.

Then, you can handle your use case, and I don't have to change my idea of what 'administer nodes' is supposed to mean.

giorgosk’s picture

giorgosk
Location Chios, Greece 🇬🇷
commented
Category: bug » feature
Status: Active » Closed (works as designed)

I agree its a matter of opinion and we could argue for ever

maybe a note in the documentation that "administer nodes" has the same effect as "edit the layouts" would suffice

Can you point me to that part of the documentation that changes Composite behavior ? I would appreciate it.

bengtan’s picture

bengtan commented

Hi,

> part of the documentation that changes Composite behavior

No, it's not in the documentation.

I meant writing a separate add-on module that modifies Composite Layout's behaviour to suit yourself. This would be something only you would use.

You could write your own module that:

o Uses hook_form_alter() to manipulate the $form structure after Composite Layout's implementation of hook_form_alter() so only users with 'edit composite layouts' are able to edit.

o Uses hook_menu_alter() to replace the call to composite_access() with your own modified fork of composite_access() so only users with 'edit composite layouts' see the Zones and other tabs.

Essentially, this module would be a patch, but it patches functionality, instead of patching source code.

Now, this presumes you are comfortable writing a custom module for yourself. If not, then maybe we need to re-think this.

giorgosk’s picture

giorgosk
Location Chios, Greece 🇬🇷
commented

I am not very familiar with writing custom modules but don't worry about me (I will eventually get there)

if you think this might be a worthy feature you could have an option in the configuration that the admin chooses if the permission to edit layouts is affected by the "administer nodes" permission or not !!

If you are interested in this I can try to prepare something in a patch, it should not be too difficult !!

giorgosk’s picture

giorgosk
Location Chios, Greece 🇬🇷
commented
Title: Permissions "administer nodes" should not be allowed to "edit composite layouts" » Option for Permissions "administer nodes" to be allowed to "edit composite layouts"
Status: Closed (works as designed) » Needs review
StatusFileSize
new 601770_composite_perm_admin_nodes_can_edit_layouts.patch1.97 KB

Here is a tiny patch that lets you choose whether "administer nodes" gets to "edit layouts" (configured per content type)

Current behaviour is the default behaviour thus it will not affect any users updating the module
(administer nodes can edit the layouts)

tested it and its working fine

bengtan’s picture

bengtan commented

Hi,

I appreciate your effort.

However ... two issues:

1. I don't see a demand for this, and I'm very reluctant to add something very situational or specific that only one person is using.

2. The setting 'Permission "admininster nodes" can "edit the layouts".' is better off as a global setting, which means it should be in a admin page under Site Configuration. Unfortunately, there is no such existing admin page, so a new one will have to be created.

So ... sorry. Firstly, I'm not sure if I want to accept this functionality. Secondly, I don't think your patch is suitable.

giorgosk’s picture

giorgosk
Location Chios, Greece 🇬🇷
commented
Status: Needs review » Closed (fixed)

OK since the patch won't be accepted
here is a easier to maintain solution if anyone is interested

put following code in your template.php

function phptemplate_node_form($form){
  if( user_access('edit composite layouts') == FALSE )
    unset($form['composite_settings']);

  return theme_node_form($form);
}
giorgosk’s picture

giorgosk
Location Chios, Greece 🇬🇷
commented

Forgot to remove the tabs for the unauthorized user

This is to be put in your template.php

function phptemplate_node_form($form){
  if( user_access('edit composite layouts') == FALSE )
    unset($form['composite_settings']);

  return theme_node_form($form);
}

function phptemplate_preprocess(&$variables, $hook) {
  if( user_access('edit composite layouts') == FALSE ) {
    phptemplate_removetab('Zones', $variables);
    phptemplate_removetab('Fields', $variables);
    phptemplate_removetab('Blocks', $variables);
  }
  return $variables;
}

function phptemplate_removetab($label, &$vars) {
  $tabs = explode("\n", $vars['tabs']);
  $vars['tabs'] = '';

  foreach($tabs as $tab) {
    if(strpos($tab, '>' . $label . '<') === FALSE) {
      $vars['tabs'] .= $tab . "\n";
    }
  }
}

NOTE: Tried using altering of menu tabs per user
using my own module

function composite_alter_menu_alter(&$items) {
  if( user_access('edit composite layouts') == FALSE ){
    //unset($items['node/%node/composite_zones']);
    $items['node/%node/composite_zones']['type'] = MENU_CALLBACK; 
    $items['node/%node/composite_field']['type'] = MENU_CALLBACK; 
    $items['node/%node/composite_block']['type'] = MENU_CALLBACK; 
  }
}

but could not get it to work
if I remove the user_access check then it works but tabs disappear for ALL users

giorgosk’s picture

giorgosk
Location Chios, Greece 🇬🇷
commented

But I finally got it to work as a module !!

composite_alter.info

; $Id$
name = Composite Layouts Alter Permissions
description = Allows only users with "edit the layouts" to administer composite layouts.
core = 6.x
package = "Composite Layout"
dependencies[] = composite

composite_alter.module

function composite_alter_menu_alter(&$items) {
  $types = composite_get_types();
  foreach ($types as $type) {    
    if ($type['local task']) {
      $items['node/%node/composite_' . $type['type']]['access callback'] = 'composite_alter_access';
    }
  }
  $items['node/%node/composite_zones']['access callback'] = 'composite_alter_access';  
  return $items;
}

function composite_alter_access($tab, $op, $node) {
  if (user_access('edit composite layouts')) {
    return composite_access($tab, $op, $node);
  }
}