Users with "administer nodes" can see/edit all meta tag fields even if they have no specific permissions for each meta tag.

I cannot reproduce this on the latest development snapshot.

1. I created a role without any administration permissions, but with the permission to create nodes of a content type.
2. I granted the role the permission to edit 4 meta tags.
3. I logged in with that user, and created a node.
4. I don't see more than 4 meta tags edit fields.

The development snapshot has been changed. Before, all the users with an administration permission (administer nodes, administer users, administer taxonomy, administer meta tags) were able to see all the meta tags edit fields; of course, users with permission to administrate nodes were able to see all the meta tags edit fields in the node edit form, but not in the user profile edit form.
This has been changed, and only users with permission to administer meta tags can see all the meta tags edit fields in whatever page they are shown.

I have marked #658254: In ver. 1.8 manipulation of "Meta tags to show on edit forms" is without effect as duplicate of this report.

I was about to write a test for this issue, but realized it is already being tested:

    // Verify that only COPYRIGHT and DESCRIPTION meta tags are available for
    // this user due to edit meta tag permissions, even if other meta tags are
    // available for editing.
    $this->drupalGet('node/add/page');
    $this->assertField('nodewords[copyright][value]', t('Copyright meta tag field found.'));
    $this->assertField('nodewords[description][value]', t('Description meta tag field found.'));
    $this->assertNoField('nodewords[keywords][value]', t('Keywords meta tag field not found.'));

45 passes, 0 fails, and 0 exceptions -> I ran the testcase and see no errors, so I guess this was already fixed previously.

Make sure you don't have other permissions that may superseed nodeword's meta tag edit permissions for that editor role.

nrackleff, feel free to reopen if you don't find a solution, but do as support request, doesn't seem to be a bug.

I have marked #660056: Since 6.x-1.8 all meta tags are shown in the node edit form as duplicate of this report.

as always I dont get it. maybe you can help me.
i have the same problem, as its showing all the meta tags for every user. even if i have a role that has permission to just a few meta tags i can edit all meta tags in a node.

I read this post http://drupal.org/node/653696 carefully but after nr. 10 I didnt get it anymore. you fixed the problem but what do I do as a user? is it right that I either wait til version 6.x-3.x comes out or use the code from nr. 12?
sorry I'm not programming just justing. that where my problem comes from. maybe you can be so kind to tell me what I do as a next step. many thanks

Let me re-open this as support request. We have tested that (in a clean install) 1.8 version of the module is working fine, so the problem must be in something not fixed during upgrade path (I'd say). But this is surprising, because currently, the 1.8 branch has more than 2k usages, expecting no more than 100 to be new installations, we can assume 1k9 setups are upgrades, and not all have this issue.

Can you provide a list of all the permissions for your roles, as they are in database? not even programming, you should be able to make an export of the 'permissions' table, and attach to this issue. We need more information than just "doesn't work" if you want us to help you.

nrackleff, feel free to do the same.

I have the same issue - despite permissions set to only give access to edit description meta tag, all possible fields were offered.
I upgraded from nodewords 1.0 to 1.8 in drupal 6.13

Even though a role I created "News Poster" only had permission to edit description tag they could see everything.
I switched off permissions for admin role expect description tag and still could see all. (I created an admin role - not user0)

Attached is my permission table.

In an attempt to identify the source of the problem: Does it happen when adding a new node also? or only when editing an existing node?

Thanks for the perms, let me check any possible congruences of permissions.

This are the steps I followed:

• Start with a clean Drupal site
• install nodewords 1.0
• enable basic and extra meta tags
• go to admin/content/nodewords and click SAVE.

Only "description" and "keywords" are enabled for editing, ALL keywords are enable for html output.

so.. next steps:

• Login a regular user, no meta tag permission enabled at all.
• go to add new page, NO META TAGS information is shown.
• As admin, go to permissions, add for authenticated user the following permission: "edit meta tag DESCRIPTION" this is the only permission from meta tag that I have enabled.
• as regular user I'm not able to view any meta tag field when creating a node yet, even if I do have the DESCRIPTION edit meta tag perm.
• as admin, grant the "edit meta tags" permission to authenticated user.
• as regular user, when going to node/add/page, I can see ALL the meta tags enabled for edition.
• as admin I do enable abstract meta tag for edition
• as admin I do enable "edit meta tag ABSTRACT" for authenticated users.
• as regular user I can't see any meta tag field if I don't have "edit meta tags" permission, and if I do have this permission I can view all of the meta tags enabled for edition.

So, I'm currently seeing Keywords, Abstract and Description fields, and I do only have Abstract and Description edit meta tags enabled, in version 1.0 of the module..

Time to update the module.. download version 1.8 and go to update.php, I've found the 6100 update missing in nodewords module selected for the upgrade automatically. clicked update... These are the results:

this message is shown:
"The default meta tags values have been updated; verify they have the correct values in the module settings page."


The following queries were executed
nodewords module
Update #6100

* ALTER TABLE {nodewords} CHANGE `content` `content` LONGTEXT NOT NULL
* CREATE NEW SETTING VARIABLES

Update #6102

* INSERT INTO {nodewords} (type, id, name, content) VALUES ('default', '', 'copyright', 'whatever')
* INSERT INTO {nodewords} (type, id, name, content) VALUES ('default', '', 'geourl', 'nonee,0')
* INSERT INTO {nodewords} (type, id, name, content) VALUES ('default', '', 'keywords', 'the keywods')
* INSERT INTO {nodewords} (type, id, name, content) VALUES ('default', '', 'robots', 'index,follow')

Update #6103

* UPDATE {nodewords} SET name = 'revisit-after' WHERE name = 'Revisit-After'
* UPDATE {nodewords} SET name = 'dc.title' WHERE name = 'DC.Title'
* UPDATE {nodewords} SET type = 'frontpage' WHERE type = 'page' AND id = ''

Update #6104

* UPDATE MODULE SETTINGS

Update #6106

* UPDATE {nodewords} SET name = 'location' WHERE name = 'geourl'

Update #6113

* ALTER TABLE {nodewords} RENAME TO {nodewords_tmp}
* CREATE TABLE {nodewords} ( `mtid` INT NOT NULL auto_increment, `type` VARCHAR(16) NOT NULL DEFAULT '', `id` VARCHAR(255) NOT NULL DEFAULT '', `name` VARCHAR(32) NOT NULL DEFAULT '', `content` LONGTEXT NOT NULL, PRIMARY KEY (mtid), UNIQUE KEY tin (type, id, name), INDEX nodewords_id (id(6)), INDEX nodewords_type (type(6)) ) /*!40100 DEFAULT CHARACTER SET UTF8 */
* DROP TABLE {nodewords_tmp}

Update #6115

* CREATE TABLE {nodewords_custom} ( `pid` INT NOT NULL auto_increment, `path` VARCHAR(255) NOT NULL DEFAULT '', `weight` TINYINT NOT NULL DEFAULT 0, `enabled` TINYINT NOT NULL DEFAULT 1, PRIMARY KEY (pid), UNIQUE KEY path (path) ) /*!40100 DEFAULT CHARACTER SET UTF8 */

Update #6117

* DELETE FROM {nodewords} WHERE type IN ('views', 'panels')

Update #6120

* ALTER TABLE {nodewords} DROP KEY tin
* ALTER TABLE {nodewords} CHANGE `type` `type` VARCHAR(16) NOT NULL DEFAULT ''
* ALTER TABLE {nodewords} CHANGE `id` `id` VARCHAR(255) NOT NULL DEFAULT ''
* ALTER TABLE {nodewords} CHANGE `name` `name` VARCHAR(32) NOT NULL DEFAULT ''
* ALTER TABLE {nodewords} ADD UNIQUE KEY tin (type, id, name)
* ALTER TABLE {nodewords_custom} DROP KEY path
* ALTER TABLE {nodewords_custom} CHANGE `path` `path` VARCHAR(255) NOT NULL DEFAULT ''
* ALTER TABLE {nodewords_custom} ADD UNIQUE KEY path (path)
* ALTER TABLE {nodewords_custom} CHANGE `weight` `weight` TINYINT NOT NULL DEFAULT 0

Update #6122

* UPDATE {nodewords_custom} SET weight = 10 WHERE weight > 10
* UPDATE {nodewords_custom} SET weight = -10 WHERE weight < -10

Update #6128

* DELETE FROM {nodewords} WHERE type = 'offline'

Update #6131

* UPDATE MODULE VARIABLES

Update #6135

* No queries

Update #6136

* UPDATE {system} SET status = 1 WHERE type = 'module' AND name = 'nodewords_basic'
* UPDATE {system} SET status = 1 WHERE type = 'module' AND name = 'nodewords_extra'

Update #6137

* No queries

Update #6139

* No queries

Update #6140

* UPDATE MODULE SETTINGS

Update #6141

* No queries

Update #6143

* No queries

Update #6144

* UPDATE MENUS

Update #6145

* ALTER TABLE {nodewords} DROP KEY tin
* ALTER TABLE {nodewords} DROP INDEX nodewords_id
* ALTER TABLE {nodewords} DROP INDEX nodewords_type
* ALTER TABLE {nodewords} ADD `language` VARCHAR(12) NOT NULL DEFAULT ''
* ALTER TABLE {nodewords} ADD INDEX nodewords_lang (language(6))
* ALTER TABLE {nodewords} ADD INDEX nodewords_name (name(6))
* ALTER TABLE {nodewords} ADD INDEX nodewords_type_id (type(6), id(6))
* ALTER TABLE {nodewords} ADD UNIQUE KEY nodewords_type_id_name_lang (type, id, name, language)

Update #6146

* DELETE FROM {nodewords} WHERE type = 'pager'

Update #6147

* ALTER TABLE {nodewords} DROP KEY nodewords_type_id_name_lang
* ALTER TABLE {nodewords} DROP INDEX nodewords_lang
* ALTER TABLE {nodewords} DROP language
* ALTER TABLE {nodewords} ADD UNIQUE KEY nodewords_type_id_name (type, id, name)

Update #6149

* No queries

Update #6150

* ALTER TABLE {nodewords_custom} ADD `name` MEDIUMTEXT DEFAULT NULL
* ALTER TABLE {nodewords_custom} CHANGE `name` `name` MEDIUMTEXT NOT NULL

Update #6151

* No queries

Update #6153

* ALTER TABLE {nodewords_custom} DROP KEY path

Update #6154

* ALTER TABLE {nodewords_custom} CHANGE `name` `name` VARCHAR(60) NOT NULL DEFAULT ''
* ALTER TABLE {nodewords_custom} CHANGE `path` `path` MEDIUMTEXT NOT NULL

Update #6158

* No queries

Ok, I just did NOTHING else but the update, go to regular user page, and go to node/add/page

• as regular user, I can only see the Abstract and description meta tags when adding a node.

Then.. I do..

• as admin I clicked save at the permissions page, to make sure new permissions are applied, and old permissions are deleted (if any).
• as regular user I see no difference, I can only see the Abstract and Description meta tags when adding a node.
• as admin user I go to meta tag settings page, and the Abstract, Description and Keywords are available for editing.

So I'd say, it is working perfectly.

There is one question around my head about this.. are anyone of you having problems with this using checkall module?

I am changing the status of the report basing on the last comment made from ilo.

Thanks for clarifying.
It looks like a permissions setting conflict in my setup and not a bug.

If you have the Administer Nodes permission applied to a role, you will see all fields from nodewords and not those defined in the nodewords permissions area.

After disabling Administer Nodes from my writer's role, they now only see the meta tags they've been given permission to see.

I guess this makes perfect sense but presents me with other issues.

My writers lose the ability to publish content and change the author of the post to a different username (all posts are written under branded author names). Looks like I will have to get them to use the same login to write content so it appears as from the correct author and create a new role (in the business) to review content and publish it. I'd be losing control over each writer with the global login.

Still, admin's will see all nodewords fields despite limiting them in the nodewords permissions section. I will never use some of them so would be nicer not to have them presented everytime I need to publish content.

If the nodeword permissions over-ride the node permissions I'd have the necessary control over what appeared - which is the impression the permissions setting give and led to the confusion at the beginning.

Thanks
Simon

So, I'd say, think about how would you fix your special use case and open a feature request, this is the only thing I can tell you would do to start finding a solution, just in case this is a problem.

Thanks for your comment. Finally we found the 'hidding' issue :)

I changed the title to reflect this, and tagged as "by design". Kiam, please, provide us with more information about the final status, or if this needs more work.

If you have the Administer Nodes permission applied to a role, you will see all fields from nodewords and not those defined in the nodewords permissions area.

See #653696-12: Users with administration permissions should always be able to edit the meta tags content, where I reported that the code I first submitted on December 8 has been changed; when first all the users with an administration permission was allowed to see the all the meta tags form fields (by that I mean that users with permission to administer nodes were able to see all the edit fields for the node meta tags, users with permission to administer users were able to see all the edit fields for the user profile meta tags, etc), I then changed the code and only users with permission to administer meta tags can see all the meta tags edit fields.

I am marking this report as fixed because this is a support request, and not a bug report.

I have marked #662412: I see all the meta tags when editing as duplicated of this report.

I'm marking this as a bug - this new behavior is incorrect and needs to be fixed.

I need my admins to be able to "administer nodes" but they should NOT see ALL the meta tags fields on a node form.

The previous version of this module worked correctly:
* A user with permission to administer the meta tags module could define which meta tags should show up on the edit form.
* A user with permission to edit the tags can enter values for those meta tags defined by above.

"Administer Nodes" means you can change the values of any of the fields on the node form, but the node form should still obey the meta tags settings.

I understand wanting to add permissions for per-tag settings, but that should further restrict the above behavior, not allow more access!?

The attached patch attached fixed the problem for me.

The code has been already changed, in the last official releases. If you are still using version 6.x-1.8 (which suffered other issues), then you should update.

An official release cannot be changed, once released. If an issue report has been marked as fixed it is because a later version resolved the problem already.

Sorry. latest version still has this bug. My patch applies to 6.x-1.11.

I need my admins to be able to "administer nodes" but they should NOT see ALL the meta tags fields on a node form.

Are you sure you didn't give permission to administer meta tags to users with permission to administer nodes? The code verifies if the user has permission to administer meta tags before to show the editing form fields for all the meta tags.

Removing that code line as just the effect to not allow users with permission to administer meta tags to not be able to see all the meta tags edit fields, which is different from allowing the users with permission to administer nodes to see all the meta tags edit fields.

Works for me, it might be require to rebuild permissions after upgrade to the latest version.

I am using version 6.11. (I installed 6.11 not an upgrade).

I had this same problem with these settings for my editor user:

Administer nodes NO
Nodewords module administer meta tags YES
edit canonical URL meta tag NO
edit meta tag ABSTRACT NO
edit meta tag COPYRIGHT NO
edit meta tag DESCRIPTION YES
edit meta tag KEYWORDS YES
edit meta tag REVISIT-AFTER NO
edit meta tag ROBOTS NO

The editor could see and edit all tags (unwanted behaviour).
The problem existed for both old and new nodes.
__________________
These settings work:

Administer nodes NO
Nodewords module administer meta tags NO
edit canonical URL meta tag NO
edit meta tag ABSTRACT NO
edit meta tag COPYRIGHT NO
edit meta tag DESCRIPTION YES
edit meta tag KEYWORDS YES
edit meta tag REVISIT-AFTER NO
edit meta tag ROBOTS NO

The editor can now only see and edit Description and Keywords.
Which is what I need.

Cheers
Miriam

Administer nodes NO
Nodewords module administer meta tags YES

The permission administer meta tags should be given to trusted roles, not to everybody.