First, thank you for the great module.

I am using lasted and greatest released and non-beta modules for Drupal 6.

Editable fields works as expected if the user has "edit any" permission, but does not work at all if the user does not.

I am granting the user permission with nodeaccess_userreference-6.x-2.1.tar.gz and other than editablefields, everything works great.

This could certainly be my mistake somewhere. I am happy to troubleshoot.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Anonymous’s picture

Any update on this?

Shouldn't editablefields have its own permission system?

ju.ri’s picture

I can confirm this. My site shows a views block with editable fields, with the "user=current user" filter, so it shows only the users own profile node. The editable fields don't show up at all when the user doesn't have the "edit any" permission.

ju.ri’s picture

the code resposible seems to be this:

  if (!node_access('update',$node) || !content_access('edit', $field)) {

This doesn't seem to work when the editable field is inside a view.

I could remove the whole access check section for my site, because is checked elsewhere. but that's not a solution of course.

rjbrown99’s picture

+1

Even though the user has "edit own XYZ content" permission, the editable fields do not show up in the resulting view. When the user is granted "edit any XYZ content" permission, all of the editable fields show up. This is using 6.x-1.2.

Anonymous’s picture

I have a more improtant issue:

- I want to allow users to edit fields with editablefields on node view
- I do NOT want users to EDIT the actual node

For this, editablefields really needs its own permission system. E.g. Authenticated users may edit fields, whilst they may not edit the node (node/12/edit)

Anonymous’s picture

Status: Active » Needs review

SOLVED: In order to override content access permissions (such as 'edit any'), do this:

EDIT editablefields.module

ADD somewhere (e.g. at the top):

/**
 * Implementation of hook_perm().
 */
function editablefields_perm() {
  return array('edit all editablefields');
}

FIND:
if (!node_access('update',$node) || !content_access('edit', $field)) {
CHANGE TO:
if ((!node_access('update',$node) || !content_access('edit', $field)) && !user_access('edit all editablefields')) {

FIND in function editablefields_html():
if (node_access('update', $node)) {
CHANGE TO:
if (node_access('update', $node) || user_access('edit all editablefields')) {

FIND in function editablefields_submit():
if (node_access('update', $node)) {
CHANGE TO:
if (node_access('update', $node) || user_access('edit all editablefields')) {

And then go to user permission, and select which roles should have "edit all editablefields".

Thank you,

haroon373’s picture

Thanks mxistence
Its a great solution for user permission

But in my case,
I have a profile field in a view. Like First Name, Last Name etc. These are all created from CCK under content type of profile. And these fields are editable in view.

The problem is, if i use your (above) changes, or i allow edit any profile content, then any user can edit anyones first name and last name fields.

I just want to permit a user to view only other user's profile and edit its own profile content.

I hope you understande what i am trying to say. You can ask question if there is some problem.

Sorry for the stupid question, but i am newbi in drupal development.

Any help will be greatly appriciated.

haroon373’s picture

Yuppi... :)
I just resolve the issue I described above
Thanks to "mxistence" who show me the way :D

What I did is, i didn't impliment any hook. I just do the following steps:

FIND:
if (!node_access('update',$node) || !content_access('edit', $field)) {
CHANGE TO:
if ((!node_access('update',$node) || !content_access('edit', $field)) && (!user_access('edit own profile content', $account) && ($account->uid == $node->uid))) {

FIND in function editablefields_html():
if (node_access('update', $node)) {
CHANGE TO:
if (node_access('update', $node) || (!user_access('edit own profile content', $account) && ($account->uid == $node->uid))) {

FIND in function editablefields_submit():
de_access('update', $node)) {
CHANGE TO:
if (node_access('update', $node) || (!user_access('edit own profile content', $account) && ($account->uid == $node->uid))) {

Now these line will check that, is this the right user on his own profile page to edit it? then it will allow him to edit the profile fields.

I hope this solution will help anyone...

BUT
I face problem after doing this. when i go to any other user's profile page to view his profile, application show the that much alert boxes that much fields are on page.

What i did to resolve it is, just comment the line ~53 in module/editablefields/editablefields.js which is looks like
alert(Drupal.t("An error occurred at ") + url);

But this is not the solution... :P
any one can help me to resolve this issue.

bengtan’s picture

Hi,

I have a clean fix.

For editablefields 6.x-1.2, in the file editablefields.module, in the function theme_editablefields_formatter_editable(), change line 73 from:

$node = $element['#node'];

to

$node = node_load($element['#node']->nid);

The bug was that $node wasn't actually a node object. Hence, the subsequent node_access() call was failing because it was getting garbage.

bengtan’s picture

For those who are using editablefields 6.x-2.x, the relevant line number is line 79.

Or else you can apply the patch from comment #1 of #578678: Replace ajax loads with inline html widgets. Improve load time by 90%+.

bengtan’s picture

Status: Needs review » Fixed

The suggested fix from comment #9 has been committed to cvs and will be incorporated into the next release of editablefields.module.

Until that time, you can patch your own site by following the directions in comment #9. Thank you.

maverick14’s picture

+1 waiting for the next release of this module including the permission fix.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

rjbrown99’s picture

Status: Closed (fixed) » Reviewed & tested by the community

I am re-opening this. Beng's change was merged out of the latest module release so node access permissions are now broken again. #9 is still the fix.

The fix was reverted in the following commit:
http://drupalcode.org/viewvc/drupal/contributions/modules/editablefields...

Lots of other things seem to have been reverted in that commit so it may warrant a closer look at that change.

Can someone please re-commit this fix back to the main module? Access permissions are broken without it. Thanks.

markfoodyburton’s picture

Version: 6.x-1.2 » 6.x-2.x-dev

Very odd!

Must have been a mistake - anyway - I've re-committed. I've checked the other changes - they look OK .
BTW, this is for the 2.x branch now, please test out 2.x-dev and see if it's ok

Thanks

Mark

catorghans’s picture

I downloaded latest dev and no function "function editablefields_perm" found.

NaX’s picture

Status: Reviewed & tested by the community » Needs review

node_access for me is returning the wrong value.

I am using some more advanced access control modules like "Node Access User Reference" and if my user goes to the node the edit tab appears and they are able to edit the node and the node form only shows the the correct fields per the field permissions.

The only time things go wrong is when not full nodes are used with node_access.

This in the end fixed it for me.

  // This is needed for node_access to query node_access_grants
  $node->status = 1;
  if (!node_access('update', $node) || !content_access('edit', $field)) {

If you look in views (views_handler_field_node_link_edit.inc) they doing the same thing.

If you look at http://api.drupal.org/api/function/node_access/6 you will see the problem code if ($op != 'create' && $node->nid && $node->status) {

I hope that helps.

aaronschachter’s picture

the code in #9 works for me, using 6x-2.0. the code to change in the theme_editablefields_formatter_editable function can be found on line 87.

Vidus’s picture

I'm trying the 6.3x dev version, and still have the problem listed above. I've given my users field permission to edit a given field (Review Status), but they do not have the ability to edit the node itself, just the field.

What I'd like is to have the user able review a node, make a comment, then change the status of the field to Reviewed, so it no longer shows up on a list of nodes to review.

However, I can't get the editable field to show unless the users have the ability to edit all nodes of that type and the field as well.

Neither the patch in #9 no the 6.3x dev is getting it work for me.

Also worth noting I'm using the HTML version of the field, and working it through a view. Though, it also doesn't' work on node view either.

mry4n’s picture

Status: Needs review » Fixed

#9 also works for me.

It also looks like this change has already been rolled into the latest git versions of 6.x-2.x & 6.x-3.x (which I believe are the dev versions?).

As far as #17 goes, I just tried using the Node Access User Reference, and it worked just fine. I used it in a View and in Node view.

In any case, since this change has already been rolled into branches, I don't see any reason to not mark this as fixed?

-Mike

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

jhedstrom’s picture

Status: Closed (fixed) » Needs work

The solution in #17 is the proper solution (so that access that is only granted my node access modules will work). However, I'm not sure that hard-coding $node->status = 1 is the solution--a person could easily make a view where in fact the status was not 1.

jhedstrom’s picture

Status: Needs work » Needs review
FileSize
742 bytes

Here's a patch that checks if $node->status is already set. If it isn't, it checks for $node->node_status (which is how the field comes through from views). This still isn't perfect, as I think that field name will change with more complex views.

johnv’s picture

SocialNicheGuru’s picture

Deleted comment

jhedstrom’s picture

FileSize
742 bytes

Re-rolling to cleanly apply to 2.x dev.

rho_’s picture

Path in #22 applied cleanly form me. Thanks jhedstrom.

naero’s picture

For some reason, the patch isn't working for me and my CCK field, which is also controlled by Content Access.

Which permissions are required in order for a certain role to use editable fields? Can someone explain what this code is doing?

if (!node_access('update', $node)

I ended up commenting out this code to make it work:

  // See if access to this form element is restricted,
  // if so, skip widget processing and just set the value.
  if (!node_access('update', $node) || !content_access('edit', $field)) {
    // can't edit
    $formatter_name = 'default';
    if ($formatter = _content_get_formatter($formatter_name, $field['type'])) {
      $theme = $formatter['module'] . '_formatter_' . $formatter_name;
      return theme($theme, $element);
    }
  }
  else {
naero’s picture

Okay, #6 definitely solved my issue. I applied his code manually to the latest 6.x-2.x-dev version.

SocialNicheGuru’s picture

Is there a Drupal 7 version?

rafaqz’s picture

Also wondering about this in drupal 7. In my views tables currently only admin can view editable fields, having edit any permission. But I want them to be accessible for users to edit their own content. Any ideas?

ncarty97’s picture

Close to a year since the last post, but this still seems to be an issue for D7. Any update?

dags’s picture

Permissions were introduced in 7.x here: #1730600: "Use editablefields" permission

If that doesn't solve the issue, please set the "Version" of this issue to 7.x-1.x-dev.

ncarty97’s picture

Ok, thanks. I did move to the dev version and that has exposed the permission. Still can't get it to work on my view, but that may be me.

alpiniste’s picture

Issue summary: View changes

I second #34. I installed and enabled 7.x-1.x-dev (Last updated: September 30, 2013 - 21:24), and it has indeed exposed the editablefields permission, however when I gave the permission to anonymous, it didn't work on my view.

keeprock’s picture

Version: 6.x-2.x-dev » 7.x-1.x-dev

It's not working on a last 7.x-1.x-dev using views 3. Tries to create a specific role for a user, considering problem in role permission system, but still no luck.

Currently working for solution, because I need to implement this in my current project. Will post a patch if come up with anything.

milos.kroulik’s picture

I also need a solution for this.

keeprock’s picture

I was able to solve this using "Field Permissions" module. At least user can see content now, but still no edit functionality.

johnkareoke’s picture

Look forward to a solution to this. Just ran into this issue

cimo75’s picture

Field Permissions module fixed part of the issue for me as in a file entity the File field does not accept custom permission from this module.
S.