// $Id: node.module,v 1.641.2.17 2006/10/18 20:14:42 killes Exp $

function node_add() approx at line 1776 seems buggy to me:

if (node_access('create', $type)) {

should be replaced by

if(module_invoke(node_get_base($type), 'access', 'create', $type)) {

this hides all types, which users are not allowd to create.

CommentFileSizeAuthor
#4 node_access_create_content.patch523 bytesgeodaniel
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Anonymous’s picture

Version: 4.7.4 » 4.7.5

I confirm this bug and the suggested patch for Drupal 4.7.5 (though I did not get the time to ensure it is the correct way to do it, only the fact that it works for me).

// $Id: node.module,v 1.641.2.31 2007/01/04 20:50:02 killes Exp $

The only difference is on the line number where it's line 1803 in 4.7.5 version (not 1776 like in 4.7.4).

Anonymous’s picture

Version: 4.7.5 » 4.7.6

It is also valid for the 4.7.6 version of Drupal.

// $Id: node.module,v 1.641.2.32 2007/01/29 21:39:28 killes Exp $

It is located at line 1807

Damien Tournoud’s picture

Status: Active » Closed (works as designed)

node_access() correctly invokes
module_invoke(node_get_module_name($node), 'access', $op, $node).

Note that if an user has the 'administer nodes' permissions, it will bypass any node access control.

geodaniel’s picture

Status: Closed (works as designed) » Needs review
FileSize
523 bytes

I'm not sure 'administer nodes' should always be used as a definitive key to everything. Just because somebody has that privilege doesn't necessarily mean that they have privileges to 'create pages', 'create stories' or the like. In most cases I suspect they would, but it's not a given. From what I can tell 'administer nodes' is more given as a way to let people edit existing content, not necessarily create new content.

The patch attached stops node_access bombing out on 'administer nodes' and instead leaves it up to the modules to define the whether a user can 'create' or not.

StevenPatz’s picture

Maybe the title and docs need updated/changed but this is by design.

Damien Tournoud’s picture

Status: Needs review » Closed (fixed)

This was by design. Closing now.

udig’s picture

Great post - thanks for the patch