Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Quick follow-up fix to #452538: Enable Node Grants for Unpublished Nodes:
Permissions are now presented in the order they are defined. Since "Access content" was renamed to "View published content", it looks very odd that "View own unpublished content" is deeply buried somewhere below and in between.
Further suggestions in http://drupal.org/node/452538#comment-2697000 already incorporated into this patch.
Comment | File | Size | Author |
---|---|---|---|
#17 | drupal.node-permissions.17.patch | 3.19 KB | sun |
#1 | drupal.node-permissions.1.patch | 3.58 KB | sun |
#1 | node-permissions.1.png | 23.75 KB | sun |
node-permissions.png | 18.38 KB | sun | |
drupal.node-permissions.0.patch | 2.32 KB | sun | |
Comments
Comment #1
sunAlso, am I the only one who finds all of those node type permission rows ungrokable?
How about this?
Comment #2
jhodgdonI like this arrangement and text...
Can we also add an explanation to the Administer Content permission? Given the "bypass node permissions" permission, I for one have no idea what administer content does any more.
[greps through the code]
OK. It looks like Administer Content (aka 'administer nodes') gives you permission to:
- View, revert, delete all revisions
- See edit/delete links on the book admin page [this is probably a bug -- shouldn't it be bypass node access? -- see theme_book_admin_table -- and why is it in a theme function anyway?]
- See the update options drop-down on the node admin page (bulk update options)
- When editing a node, override: creating a revision, author field, publishing options (published, sticky, etc.)
- Edit any poll node [this is likely a bug -- see poll_form() -- shouldn't it be bypass node access?]
- Set up initial poll vote totals
What a mess...
Comment #3
jhodgdonAlso, I think the bypass permission gives you permission to create all content, besides view, edit, delete.
Comment #4
jhodgdonJust one other note on the 'administer nodes' permission:
That bulk operations thing -- whatever any module adds in there, someone with 'administer nodes' permission can do, without further permissions checks (unless the module puts a permission check in the function explicitly). So anyone with 'administer nodes' can delete any node (this is defined by the node module), as well as the publication and sticky options. I don't see any other operations defined in core.
EDIT-ADDED:
That's actually interesting, because otherwise I don't think that someone with 'administer nodes' permission has permission to delete a node, such as seeing the delete button on the node edit page.
Comment #5
BenK CreditAttribution: BenK commentedSubscirbing...
Comment #6
sunThese are all nice findings, but
1) I think there's already an issue re: clarification of "administer nodes"
2) there's definitely an issue re: permission descriptions/warnings for administrative permissions.
Comment #7
jhodgdonOK. I'm happy with the above patch, and fine with RTBC, but maybe a UI or Usability person should review it?
Comment #8
aspilicious CreditAttribution: aspilicious commentedI'm in huge favour of this beauty...
Always have problems finding the right permissions, this makes everything much easier and cleaner!
Comment #9
Agileware CreditAttribution: Agileware commentedWorks for me and +1 for the order
Comment #10
sunI guess that means RTBC.
Comment #11
Dries CreditAttribution: Dries commentedI think if we use 'View' in the description, we should also use 'view' in the permission name. Mingling 'view' and 'access' is a tiny bit confusing.
Comment #12
jhodgdonHmmm.... We have other permissions that have historically been named "access *" internally, and it was decided by the UI folks that it was less confusing for the site manager/admin if they were called "View *" on the UI. The internal names were not changed because everyone agreed that as few changes in programmer-facing permission names as possible would be a good idea. Such as, from various hook_permission() implementations:
This particular permission is, I believe, new to Drupal 7, so its internal name could be changed with few consequences, but actually, "access" is more consistent for the internal permission names I think...
If we are going to change the admin-facing name, though, and this patch does (it was previously "Access" for the human-readable name), I guess would vote for "Use the content overview page", to be consistent with:
Comment #13
sunYes, the internal permission names are not changed. The permission titles can change at any time and actually translate into very different strings.
Comment #14
jhodgdonBut your patch did change the human-readable name from "Access" to "View".
Comment #15
realityloop#1: drupal.node-permissions.1.patch queued for re-testing.
Comment #17
sunRe-rolled against HEAD.
Also reverted that human-readable permission title.
Comment #19
sun#17: drupal.node-permissions.17.patch queued for re-testing.
Comment #20
sunSince the only remark about this patch has been addressed (the string change got reverted), I'm re-marking this RTBC.
Comment #21
jhodgdonagreed. Thanks!
Comment #22
klausistill applies.
Comment #23
sun#17: drupal.node-permissions.17.patch queued for re-testing.
Comment #24
sun#17: drupal.node-permissions.17.patch queued for re-testing.
Comment #25
sunJust stumbled again over the awkward mess of node permission labels and order in HEAD. Can we get this sucker in, please?
Comment #26
sun#17: drupal.node-permissions.17.patch queued for re-testing.
Comment #27
aspilicious CreditAttribution: aspilicious commentedSince drupalcon SF we have a rtbc queue problem. This leads to patches being green for ever. This is one of them. Great patch but not critical so no attention for the next months?
When will be the time for these kinda patches?
Comment #28
sun#17: drupal.node-permissions.17.patch queued for re-testing.
Comment #29
sun#17: drupal.node-permissions.17.patch queued for re-testing.
Comment #30
aspilicious CreditAttribution: aspilicious commented*** please commit this ***
Comment #31
Dries CreditAttribution: Dries commentedThis patch doesn't get attention because it is less important. We should focus on bug fixes, and critical bug fixes in particular. It is not because a patch is green that it should be committed.
Comment #32
sun@Dries, sure, though my problem with that is - the last time we added a major UX improvement to permissions (at that time: retaining the order in which they are defined), it was rejected for 6.0, because there already have been published books that contained screenshots of the user permissions UI, and so in order to not confuse those book readers, we didn't improve the permissions. I'd really like to avoid that situation this time. :-|
Comment #33
sun#17: drupal.node-permissions.17.patch queued for re-testing.
Comment #34
sunComment #35
Agileware CreditAttribution: Agileware commented@sun why is this closed - won't fix?
Comment #36
Dave ReidJust because someone is upset doesn't mean we have to mark something as won't fix. Someone else is more than welcome to pick up work on a ticket.
Comment #37
webchickI think this makes sense, and this seems like the right time to make the change.
Committed to HEAD. Thanks!