I ran into a problem where I needed users to only have access to their own galleries (based on Jeff Eatons Video "Photo Galleries With Views attach"

The problem is that the original code in line 111 only checks if a user has the permission to create the subcontent - in this case the permission to "create image content". There are no checks on the actual node itself (in this case the "gallery content type"

Since this is a reference there needs to be additional glue code to (optionally) allow only certain users to see the "Add photo" link

To achieve this I added node_access('update', $node) to the if statement on line 111.

The logic is: The user needs both the rights to edit the gallery (because adding a photo to that "container" is technically speaking "editing"), AND he needs the rights to create the subcontent type - the photo.

With this approach you have the best of both worlds because you can set "Edit own gallery content" if you don't want users to add photos to other galleries, and you can give a higher level maintenance user access to "Edit Any gallery content"

Patch to follow

CommentFileSizeAuthor
#1 nodereference_url-640822-multiuser-permissions.patch909 bytesnightowl77

Comments

nightowl77’s picture

nightowl77 commented
Status: Active » Needs review
StatusFileSize
new nodereference_url-640822-multiuser-permissions.patch909 bytes

Patch below. This patch also includes the patch I submitted for http://drupal.org/node/534112. Sorry if I did this the wrong way (and please correct me).

Hope this helps!

Désiré’s picture

Désiré commented

The patch works, but this is only half-measure.
Removes the link, but it is still possible to add content.

On the /node/add/'content-type-name'/'node-id' page.

quicksketch’s picture

quicksketch
he/him
commented
Category: feature » support
Status: Needs review » Fixed

I think Désiré is correct. This approach is flawed because it doesn't actually disable the ability to create new image content in galleries that aren't created by the user. What you should do instead is edit the node reference field and restrict the list of referenceable content to be only those nodes that the user created (by using a View instead of restricting by node type). This will have the effect of not only hiding the link, but also making it impossible for users to reference content they did not create by visiting node/add/image/[nid].

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.