Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.When creating a new node, a user without the administer node privilege can still see and set author information.
This was introduced in commit dcb096823b8aa001214d7ec32e3362445aca76b6 [1] for #1804402: Core fieldsets unavailable after adding steps to nodeform. When we check if the core fieldsets belong to this step we set access to true even if the user doesn't have access to them.
I suggest handling the core fieldsets in the same manner as the other fields and just firing a continue; earlier in the loop. I'll attach a patch in the first reply for this.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | msnf-users-can-see-core-fieldsets-without-permission-1948110-1.patch | 1.38 KB | Dean Reilly |
Comments
Comment #1
Dean Reilly CreditAttribution: Dean Reilly commentedPatch attached.
Comment #2
stBorchertWow.
Thanks for finding this and a big "Thank you!" for the patch!
Committed to 7.x-1.x-dev. I think its time for a new relaease ;)