workflow_access ignores edit rights

I encountered the same problem with the 1.0 release version of na_arbitrator under 4.7.3. View permissions are correctly enforced, and the node_access table appears to contain all the appropriate ones and zeroes for affected nodes. However, users have edit permission on nodes even in workflow states that they shouldn't--both the author and other roles could edit a document in a state where no role had edit permissions per the workflow access configuration.

I fully disabled and removed all other access control modules such that only the na_arbitrator, acl, and workflow_access were running.

In my case, at least, this issue was related to CCK. Upon closer observation, I noticed I only encountered the problem on custom content types; when I used the same workflow for the built-in story type, the workflow worked as intended.

The issue is that CCK's hook_access() trumps the access control set by workflow_access (and, presumably, the arbitrator in general). So, if the CCK access control settings indicate a user should be able to edit her own gizmowidget type nodes, then she'll always be able to edit gizmowidget nodes she's created, even when the workflow state says she shouldn't.

In essence, workflow_access can only grant privileges, not revoke them. So, the obvious place is to revoke all privileges across the board (including create? except create?) and let workflow_access grant them when appropriate. In my case I unchecked every privilege for every role in the content section of the access control panel. CCK stopped interfering, workflow_access took over, and the workflow worked properly.

Perhaps this info will help if the OP fell into the same trap (although I realize this issue is very old).

This was spot on. Thanks very much, xjm.