workflow_form_alter accessable by all users

There seems to be a problem with checkboxes in line 622. Anonymous user stealth-selected itself on first edit of workflow permissions.

I noticed that table 'workflow_transitions', column 'roles' had entries like ',3' in it.
I was also getting 'may do these transitions:' with no role name, and all the transitions except for those involving author displayed.

Editing out the prepended comma solved that. When I removed all the transitions the table was cleared
and when I added them back they were inserted correctly.

So I'm assuming that this was a leftover from a previous bug where an array with an empty initial element was imploded, giving "nothing","number".

The workflow tab is still there though. The problem there lies in the code circa lines 90 - 100.

array_intersect($roles, $allowed_roles) gives 'author' even when the user role is anonymous, not logged in
and with no access rights except 'access content'

how to fix it without breaking what it is supposed to do is the problem I'm trying to unravel now. ;-/

HTH

I have attached a proposed fix.

'author' only gets added to the $roles array if $node->uid == $user->uid

Please test.

HTH

I forgot to set status ;-)

Committed. Thanks.