Download & Extend
Issues

node_access() not checked on unpublished nodes

Posted by Christoph C. Cemper on July 4, 2006 at 8:21pm
Project:Drupal core
Version:7.x-dev
Component:node system
Category:feature request
Priority:normal
Assigned:Unassigned
Status:active

Issue Summary

While using the framework of merlin

http://www.angrydonuts.com/publishing_articles_a_tutorial

for implementing a good workflow,
I noticed the following bug in node.module that disables checking
of node_access for unpublished nodes...

it says:

<?php

  // If the module did not override the access rights, use those set in the
  // node_access table.
#
#CCC: this disallows checking of node_access on unpublished nodes... what sense does this make?
#  if ($op != 'create' && $node->nid && $node->status) {
  if ($op != 'create' && $node->nid ) {
?>

it is however desirable to work on unpublished nodes with other editors that DO NOT
have the "administer node" privilege, so IMO removing the check for status should be just fine...

what are your architects views? which implications does this have?

Thanks C.Cemper

Login or register to post comments

Comments

#1

Posted by drumm on July 5, 2006 at 4:18am
Status:needs review» active

#2

Posted by moshe weitzman on July 7, 2006 at 2:39pm

yes, that check should probably go. but we do need to hide unpublished nodes from regular users so i think all node modules should implement 'view own unpublished' functionality in their hook_access(). this need not be a new permission. hope thatt makes sense.

#3

Posted by Christoph C. Cemper on July 7, 2006 at 11:12pm

Moshe,

the privileges in node_access are managed perfectly by

# na_arbitrator
# workflow_access

see http://www.angrydonuts.com/publishing_articles_a_tutorial

I wonder why a separate, hard-wired (hard coded!) implementation of privilege hooks would make sense?

the next guy that needs it round-other-way will issue it as a bug again

what's Drupal-Strategy? either it's configurable and flexible or hard-wired? I chose it for the first ...

christoph

#4

Posted by moshe weitzman on July 8, 2006 at 12:41am

naturally we prefer configurable over hard wired. but we also must provide sensible defaults for people who don't use those contrib modules. if you have a solution in mind to this need, please share.

#5

Posted by Christoph C. Cemper on July 8, 2006 at 7:35am

Moshe,

btw - is extra code really needed?

- unpublished nodes are not visisible to normal users anyway

- viewing it's own nodes was only disabled by the above IF statement

- if this 1-line fix would be left in there, the behaviour that people could read their own unpublished posts would stick.... and that's the most sensible default i can think of... I mean posting to a black-hole would mean a rather obscure function, eh? and those who need it could implement specific node_access rules (as I did :-)

what do you think?

christoph

#6

Posted by webchick on September 19, 2006 at 1:53am
Version:4.7.2» 4.7.3

I also found this behaviour kind of bizarre... I wanted to implement a "view unpublished nodes" permission without having to hack node.module, and having that && $node->status there kind of severely limits my options. ;)

However, merely removing && $node->status is not the right solution; this makes it so unpublished nodes are always visible to everyone (even anonymous users) by going to node/# and that's no good.

#7

Posted by magico on January 15, 2007 at 7:03pm
Title:node_access not checked on unpublished nodes» node_access() not checked on unpublished nodes
Version:4.7.3» 6.x-dev
Category:bug report» feature request

Bumping this to 6.x-dev because I think this is 'by design'.
Anyway, it is a limitation that should be addressed.

#8

Posted by Pasqualle on September 16, 2008 at 3:48am
Version:6.x-dev» 7.x-dev

#9

Posted by BenK on March 10, 2010 at 9:31pm

Subscribing...

#10

Posted by slosa on July 19, 2010 at 1:49pm

sub

#11

Posted by minff on November 27, 2010 at 2:42pm

subscribing