Index: modules/node/node.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.admin.inc,v retrieving revision 1.24 diff -u -p -r1.24 node.admin.inc --- modules/node/node.admin.inc 19 Jul 2008 19:04:24 -0000 1.24 +++ modules/node/node.admin.inc 7 Sep 2008 02:36:18 -0000 @@ -437,26 +437,39 @@ function _node_mass_update_batch_finishe /** * Menu callback: content administration. + * + * @param $for_user + * TRUE if building a list of nodes owned by the current user. */ -function node_admin_content($form_state) { +function node_admin_content($form_state, $for_user = FALSE) { if (isset($form_state['values']['operation']) && $form_state['values']['operation'] == 'delete') { return node_multiple_delete_confirm($form_state, array_filter($form_state['values']['nodes'])); } $form = node_filter_form(); $form['#theme'] = 'node_filter_form'; - $form['admin'] = node_admin_nodes(); + $form['admin'] = node_admin_nodes($for_user); return $form; } /** * Form builder: Builds the node administration overview. + * + * @param $for_user + * TRUE if building a list of nodes owned by the current user. */ -function node_admin_nodes() { - +function node_admin_nodes($for_user = FALSE) { + global $user; + $filter = node_build_filter_query(); + + if ($for_user) { + $filter['where'] .= ' AND u.uid = %d'; + $filter['args'][] = $user->uid; + } + $result = pager_query(db_rewrite_sql('SELECT n.*, u.name FROM {node} n ' . $filter['join'] . ' INNER JOIN {users} u ON n.uid = u.uid ' . $filter['where'] . ' ORDER BY n.changed DESC'), 50, 0, NULL, $filter['args']); // Enable language column if locale is enabled or if we have any node with language @@ -468,6 +481,7 @@ function node_admin_nodes() { '#title' => t('Update options'), '#prefix' => '
', '#suffix' => '
', + '#access' => user_access('administer nodes'), ); $options = array(); foreach (module_invoke_all('node_operations') as $operation => $array) { @@ -488,6 +502,8 @@ function node_admin_nodes() { $destination = drupal_get_destination(); $nodes = array(); while ($node = db_fetch_object($result)) { + // First check the user's permissions for this node + $nodes[$node->nid] = ''; $options = empty($node->language) ? array() : array('language' => $languages[$node->language]); $form['title'][$node->nid] = array('#markup' => l($node->title, 'node/' . $node->nid, $options) . ' ' . theme('mark', node_mark($node->nid, $node->changed))); @@ -497,9 +513,9 @@ function node_admin_nodes() { if ($multilanguage) { $form['language'][$node->nid] = array('#markup' => empty($node->language) ? t('Language neutral') : t($languages[$node->language]->name)); } - $form['operations'][$node->nid] = array('#markup' => l(t('edit'), 'node/' . $node->nid . '/edit', array('query' => $destination))); + $form['operations'][$node->nid] = array('#markup' => l(t('edit'), 'node/' . $node->nid . '/edit', array('query' => $destination)), '#access' => node_access('update', node_load($node->nid))); } - $form['nodes'] = array('#type' => 'checkboxes', '#options' => $nodes); + $form['nodes'] = array('#type' => 'checkboxes', '#options' => $nodes, '#access' => user_access('administer nodes')); $form['pager'] = array('#markup' => theme('pager', NULL, 50, 0)); $form['#theme'] = 'node_admin_nodes'; return $form; @@ -558,18 +574,30 @@ function theme_node_admin_nodes($form) { // the title form elements. $has_posts = isset($form['title']) && is_array($form['title']); $select_header = $has_posts ? theme('table_select_header_cell') : ''; - $header = array($select_header, t('Title'), t('Type'), t('Author'), t('Status')); + + if ($form['nodes']['#access']) { + $header[] = $select_header; + } + + $header[] = t('Title'); + $header[] = t('Type'); + $header[] = t('Author'); + $header[] = t('Status'); + if (isset($form['language'])) { $header[] = t('Language'); } $header[] = t('Operations'); $output = ''; - + $output .= drupal_render($form['options']); if ($has_posts) { foreach (element_children($form['title']) as $key) { $row = array(); - $row[] = drupal_render($form['nodes'][$key]); + if ($form['nodes']['#access']) { + $row[] = drupal_render($form['nodes'][$key]); + } + $row[] = drupal_render($form['title'][$key]); $row[] = drupal_render($form['name'][$key]); $row[] = drupal_render($form['username'][$key]); Index: modules/node/node.module =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.module,v retrieving revision 1.973 diff -u -p -r1.973 node.module --- modules/node/node.module 31 Aug 2008 15:50:35 -0000 1.973 +++ modules/node/node.module 7 Sep 2008 02:36:19 -0000 @@ -1487,16 +1487,27 @@ function node_menu() { 'title' => 'Content', 'description' => "View, edit, and delete your site's content.", 'page callback' => 'drupal_get_form', - 'page arguments' => array('node_admin_content'), - 'access arguments' => array('administer nodes'), + 'page arguments' => array('node_admin_content', TRUE), + 'access callback' => 'node_content_page_access', ); - $items['admin/content/node/overview'] = array( - 'title' => 'List', + $items['admin/content/node/user'] = array( + 'title' => 'My Content', 'type' => MENU_DEFAULT_LOCAL_TASK, - 'weight' => -10, ); + $items['admin/content/node/all'] = array( + 'title' => 'All Content', + 'description' => "View, edit, and delete your site's content.", + 'page arguments' => array('node_admin_content'), + 'access callback' => 'node_content_page_access', + 'type' => MENU_LOCAL_TASK, + 'weight' => 5, + ); + + + + $items['admin/content/node-settings'] = array( 'title' => 'Post settings', 'description' => 'Control posting behavior, such as teaser length, requiring previews before posting, and the number of posts on the front page.', @@ -2059,7 +2070,7 @@ function node_search_validate($form, &$f */ function node_access($op, $node, $account = NULL) { global $user; - + if (!$node) { return FALSE; } @@ -2124,6 +2135,26 @@ function node_access($op, $node, $accoun } /** + * Checks whether the current user has access to the content list page + */ +function node_content_page_access() { + // These permissions are skipped + $exclusions = array('access content', 'view revisions'); + + // If the user has no permission to access content, return false right away + if (user_access('access content') == FALSE) { + return FALSE; + } + + foreach (array_keys(node_perm()) as $perm) { + if (user_access($perm) && !in_array($perm, $exclusions)) { + return TRUE; + } + } + return FALSE; +} + +/** * Generate an SQL join clause for use in fetching a node listing. * * @param $node_alias Index: modules/node/node.test =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.test,v retrieving revision 1.5 diff -u -p -r1.5 node.test --- modules/node/node.test 30 Aug 2008 13:08:05 -0000 1.5 +++ modules/node/node.test 7 Sep 2008 02:36:19 -0000 @@ -257,9 +257,9 @@ class PageEditTestCase extends DrupalWeb $web_user = $this->drupalCreateUser(array('edit own page content', 'create page content')); $this->drupalLogin($web_user); $edit = array( - 'title' => '!SimpleTest! test title' . $this->randomName(20), - 'body' => '!SimpleTest! test body' . $this->randomName(200), - ); + 'title' => '!SimpleTest! test title' . $this->randomName(20), + 'body' => '!SimpleTest! test body' . $this->randomName(200), + ); //Create the page to edit $this->drupalPost('node/add/page', $edit, t('Save')); @@ -433,4 +433,45 @@ class NodeTitleXSSTestCase extends Drupa $this->drupalGet('node/' . $node->nid . '/edit'); $this->assertNoRaw($xss, t('Harmful tags are escaped when editing a node.')); } +} + +class ContentAdminPagesCase extends DrupalWebTestCase { + /** + * Implementation of getInfo(). + */ + function getInfo() { + return array( + 'name' => t('Content Admin Pages'), + 'description' => t('Create users and content to test the content admin pages functionality.'), + 'group' => t('Node'), + ); + } + + function testContentAdminPages() { + // Prepare an admin user to test admin functionality. + $admin_user = $this->drupalCreateUser(array('access administration pages', 'administer nodes')); + $this->drupalLogin($admin_user); + + // Ensure the admin user can edit any content. + $created_node = $this->drupalCreateNode(array('type' => 'page')); + $this->drupalGet('admin/content/node/all'); + $this->assertResponse(200); + $this->assertText('edit', t('Admin user has edit link.')); + $this->drupalLogout(); + + // Ensure users don't see edit links for content they don't have rights to edit. + $base_user = $this->drupalCreateUser(array('access administration pages', 'edit own page content', 'create page content')); + $this->drupalLogin($base_user); + $this->drupalGet('admin/content/node/all'); + $this->assertResponse(200); + $this->assertText($created_node->title, t('Unprivileged users can content')); + $this->assertNoText('edit', t('Edit links do not show up for users without rights')); + + // Ensure users content shows up on their 'My Content' page, and they have edit links. + $user_node = $this->drupalCreateNode(array('type' => 'page', 'uid' => $base_user->uid)); + $this->drupalGet('admin/content/node/user'); + $this->assertText($user_node->title, t('Users own content is displayed')); + $this->assertNoText($created_node->title, t('Nodes not belong to user are not displayed')); + + } } \ No newline at end of file