I have a site with a node created before I installed private.module. This node is not editable by its creator.

I then installed private and made it so that all nodes of "content type A" are private (hidden so user cant change it). I create another node with the same user... that new node is private to all other users BUT the author can now edit the node. He still can't edit the other node that isnt private (which is good).

So private module doesn't seem to obey the "edit own content type A content" permissions.

Comments

David Lesieur’s picture

David Lesieur commented
Title: This allows users to edit their own nodes, even if they do not have permission » Module does not obey to "edit own [content type] content" permission

I have also observed this problem.

jonlibrary’s picture

jonlibrary commented

I have a Rule (using the Rules module) for revoking a user's role after three nodes of a certain type are created. However, even after I revoked the role that had allowed them to create and edit content of a certain type, users could still edit nodes that were marked private.

Hopefully this doesn't make things worse, but I got around this by changing lines 118 and 119 in private.module to FALSE:

118 'grant_update' => FALSE, // changing from TRUE, trying to fix not editing private nodes after revoking role
119 'grant_delete' => FALSE, // ditto

Everything seems to work properly...

vyahhi’s picture

vyahhi commented

Same bug with the latest version 7.x-1.2.

adamps’s picture

adamps commented
Issue summary: View changes
Status: Active » Closed (outdated)

The D7 issue is #2660598: Private access bypasses content type edit permissions. D6 is no longer supported so closing this issue.