Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
// $Id: node.module,v 1.641.2.17 2006/10/18 20:14:42 killes Exp $
function node_add() approx at line 1776 seems buggy to me:
if (node_access('create', $type)) {
should be replaced by
if(module_invoke(node_get_base($type), 'access', 'create', $type)) {
this hides all types, which users are not allowd to create.
Comment | File | Size | Author |
---|---|---|---|
#4 | node_access_create_content.patch | 523 bytes | geodaniel |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedI confirm this bug and the suggested patch for Drupal 4.7.5 (though I did not get the time to ensure it is the correct way to do it, only the fact that it works for me).
// $Id: node.module,v 1.641.2.31 2007/01/04 20:50:02 killes Exp $
The only difference is on the line number where it's line 1803 in 4.7.5 version (not 1776 like in 4.7.4).
Comment #2
Anonymous (not verified) CreditAttribution: Anonymous commentedIt is also valid for the 4.7.6 version of Drupal.
// $Id: node.module,v 1.641.2.32 2007/01/29 21:39:28 killes Exp $
It is located at line 1807
Comment #3
Damien Tournoud CreditAttribution: Damien Tournoud commentednode_access()
correctly invokesmodule_invoke(node_get_module_name($node), 'access', $op, $node)
.Note that if an user has the
'administer nodes'
permissions, it will bypass any node access control.Comment #4
geodaniel CreditAttribution: geodaniel commentedI'm not sure 'administer nodes' should always be used as a definitive key to everything. Just because somebody has that privilege doesn't necessarily mean that they have privileges to 'create pages', 'create stories' or the like. In most cases I suspect they would, but it's not a given. From what I can tell 'administer nodes' is more given as a way to let people edit existing content, not necessarily create new content.
The patch attached stops node_access bombing out on 'administer nodes' and instead leaves it up to the modules to define the whether a user can 'create' or not.
Comment #5
StevenPatzMaybe the title and docs need updated/changed but this is by design.
Comment #6
Damien Tournoud CreditAttribution: Damien Tournoud commentedThis was by design. Closing now.
Comment #7
udig CreditAttribution: udig commentedGreat post - thanks for the patch