Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By kuba.zygmunt on
Hi,
During writing my test for sotry_access function, I realized that admin can't delete or edit node, which isn't belonging to him.
Am I right? I thought that he can do everything... I'm not familiar with Drupal, yet but I'm investigating it :-) like Sherlock Holmes :)
Comments
I have this question,
I have this question, because I found in story module:
if (user_access('edit own stories') && ($user->uid == $node->uid)) {
and condition ($user->uid == $node->uid) denies editing anybody else apart from owner
Hm, I don't think that is
Hm, I don't think that is quite right. I could delete your post right now, but you are technically the owner. So admins who have proper permissions can edit and delete anyone's nodes, not just their own.
Please try testing this with a test user if you are not sure.
Anisa.
-----------------------------------------------------------
Kindness builds stronger bonds than necessity.
www.animecards.org - 16,000 card scans and counting!
-----------------------------------------------------------
ok ;-)
Thank you for replying. I've checked this possibilty, and you are right. But I must admit, this was a little bit confusing.
I'm a programmer, so I always look into the code to find out what this code is doing. Now I am doing a test (using SimpleTest module for Drupal) on story_access function (in story.module ) and this function doesn't let you do everything as the superuser (admin). You can see my snippet of code, which I put above, as a confirmation of my predictions.
So, how is it possible to edit or delete not yours nodes?
Here is the answer:
You delete or edit nodes using DIFFERENT module ( called node.module ) and different function, which I suppose is one of the core's mechanism ;-). Simply, isn't it?
so the story_access function returns False when admin is trying to edit not his own nodes.
In the end I'll write what my test checks in the story_access function:
* if admin (uid = 1) can 'create' story - expect True
* if admin can 'edit own story' - expect True
* if admin can 'delete own story' - expect True
all free tests above are independent of permission table (in database). The Last two return true if only if node->uid = user->uid
next, I obtain all the rules existing in database and on the bases on this I get uid of user for each rule ( and this uid > 1 to not to take under consideration the admin account ). Then I do next tests for each uid:
* if user can 'create' , 'edit', 'delete' story. The expectation depends on permissions given to certain role.
Example: If role has a permission to create new story I expect in the return True value, and analogically, if the role hasn't got a perm. to create new story I expect False.
Finally I do two tests, where nodes uid is different than user uid and expect False:
* if user can edit not its own node
* if user can delete not its own node
:-) and that's all.
I don't know if this tests are corresponding to deliverables of Drupal automated test suite. I've written email to Moshe and I'm waiting for response :-)