Index: modules/node/node.module =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.module,v retrieving revision 1.1075 diff -u -p -r1.1075 node.module --- modules/node/node.module 27 Jun 2009 18:19:41 -0000 1.1075 +++ modules/node/node.module 1 Jul 2009 06:39:05 -0000 @@ -1293,6 +1293,10 @@ function node_perm() { 'title' => t('Delete revisions'), 'description' => t('Delete content revisions.'), ), + 'view own unpublished content' => array( + 'title' => t('View own unpublished content'), + 'description' => t('View unpublished content created by the user'), + ), ); foreach (node_type_get_types() as $type) { @@ -2270,17 +2274,22 @@ function node_access($op, $node, $accoun return $access; } + // Check if authors can view their own unpublished nodes. + if ($op == 'view' && !$node->status && user_access('view own unpublished content', $account) && $account->uid == $node->uid && $account->uid != 0) { + return TRUE; + } + // If the module did not override the access rights, use those set in the // node_access table. - if ($op != 'create' && $node->nid && $node->status) { + if ($op != 'create' && $node->nid) { $query = db_select('node_access'); $query->addExpression('COUNT(*)'); - $query - ->condition(db_or() - ->condition('nid', 0) - ->condition('nid', $node->nid) - ) - ->condition('grant_' . $op, 1, '>='); + $query->condition('grant_' . $op, 1, '>='); + $nids = db_or()->condition('nid', $node->nid); + if ($node->status) { + $nids->condition('nid', 0); + } + $query->condition($nids); $grants = db_or(); foreach (node_access_grants($op, $account) as $realm => $gids) { @@ -2299,11 +2308,6 @@ function node_access($op, $node, $accoun ->fetchField(); } - // Let authors view their own nodes. - if ($op == 'view' && $account->uid == $node->uid && $account->uid != 0) { - return TRUE; - } - return FALSE; } Index: modules/node/node.test =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.test,v retrieving revision 1.33 diff -u -p -r1.33 node.test --- modules/node/node.test 22 Jun 2009 09:10:05 -0000 1.33 +++ modules/node/node.test 1 Jul 2009 06:39:06 -0000 @@ -545,13 +545,76 @@ class NodeRSSContentTestCase extends Dru } /** - * Test case to verify hook_node_access_records_alter functionality. + * Test case to verify node_access functionality. + * Not covered is hook_access and hook_node_access_records. */ -class NodeAccessRecordsAlterUnitTest extends DrupalWebTestCase { +class NodeAccessUnitTest extends DrupalWebTestCase { + private $perms; + public static function getInfo() { return array( - 'name' => t('Node access records alter'), - 'description' => t('Test hook_node_access_records_alter when acquiring grants.'), + 'name' => t('Node access'), + 'description' => t('Test node_access function'), + 'group' => t('Node'), + ); + } + + // Asserts functionality of node_access. + function assertNodeAccess($ops, $node, $account) { + foreach ($ops as $op => $result) { + $msg = t('node_access returns @result with operation \'@op\'.', array('@result' => $result ? 'true' : 'false', '@op' => $op)); + $this->assertEqual($result, node_access($op, $node, $account), $msg); + } + } + + // Clear permissions for authenticated users. + function setUp() { + parent::setUp(); + db_delete('role_permission') + ->condition('rid', DRUPAL_AUTHENTICATED_RID) + ->execute(); + } + + function testNodeAccess() { + // Ensures user without 'access content' permission can do nothing. + $web_user1 = $this->drupalCreateUser(array('create page content', 'edit any page content', 'delete any page content')); + $node1 = $this->drupalCreateNode(array('type' => 'page')); + $this->assertNodeAccess(array('create' => FALSE), 'page', $web_user1); + $this->assertNodeAccess(array('view' => FALSE, 'update' => FALSE, 'delete' => FALSE), $node1, $web_user1); + + // Ensures user with 'bypass node access' permission can do everything. + $web_user2 = $this->drupalCreateUser(array('bypass node access')); + $node2 = $this->drupalCreateNode(array('type' => 'page')); + $this->assertNodeAccess(array('create' => TRUE), 'page', $web_user2); + $this->assertNodeAccess(array('view' => TRUE, 'update' => TRUE, 'delete' => TRUE), $node2, $web_user2); + + // User cannot 'view own unpublished content'. + $web_user3 = $this->drupalCreateUser(array('access content')); + $node3 = $this->drupalCreateNode(array('status' => 0, 'uid' => $web_user3->uid)); + $this->assertNodeAccess(array('view' => FALSE), $node3, $web_user3); + + // User can 'view own unpublished content', but another user cannot. + $web_user4 = $this->drupalCreateUser(array('access content', 'view own unpublished content')); + $web_user5 = $this->drupalCreateUser(array('access content', 'view own unpublished content')); + $node4 = $this->drupalCreateNode(array('status' => 0, 'uid' => $web_user4->uid)); + $this->assertNodeAccess(array('view' => TRUE, 'update' => FALSE), $node4, $web_user4); + $this->assertNodeAccess(array('view' => FALSE), $node4, $web_user5); + + // Tests the default access provided for a published node. + $node5 = $this->drupalCreateNode(); + $this->assertNodeAccess(array('create' => FALSE), 'page', $web_user3); + $this->assertNodeAccess(array('view' => TRUE, 'update' => FALSE, 'delete' => FALSE), $node5, $web_user3); + } +} + +/** + * Test case to verify hook_node_access_records functionality. + */ +class NodeAccessRecordsUnitTest extends DrupalWebTestCase { + public static function getInfo() { + return array( + 'name' => t('Node access records'), + 'description' => t('Test hook_node_access_records when acquiring grants.'), 'group' => t('Node'), ); } @@ -566,7 +629,7 @@ class NodeAccessRecordsAlterUnitTest ext /** * Create a node and test the creation of node access rules. */ - function testGrantAlter() { + function testNodeAccessRecords() { // Create an article node. $node1 = $this->drupalCreateNode(array('type' => 'article')); $this->assertTrue(node_load($node1->nid), t('Article node created.')); @@ -587,13 +650,23 @@ class NodeAccessRecordsAlterUnitTest ext $this->assertEqual($records[0]->realm, 'test_page_realm', t('Grant with page_realm acquired for node without alteration.')); $this->assertEqual($records[0]->gid, 1, t('Grant with gid = 1 acquired for node without alteration.')); + // Create an unpromoted, unpublished page node. + $node3 = $this->drupalCreateNode(array('type' => 'page', 'promote' => 0, 'status' => 0)); + $this->assertTrue(node_load($node3->nid), t('Unpromoted, unpublished page node created.')); + + // Check to see if grants added by node_test_node_access_records made it in. + $records = db_query('SELECT realm, gid FROM {node_access} WHERE nid = %d', $node3->nid)->fetchAll(); + $this->assertEqual(count($records), 1, t('Returned the correct number of rows.')); + $this->assertEqual($records[0]->realm, 'test_page_realm', t('Grant with page_realm acquired for node without alteration.')); + $this->assertEqual($records[0]->gid, 1, t('Grant with gid = 1 acquired for node without alteration.')); + // Create a promoted page node. - $node3 = $this->drupalCreateNode(array('type' => 'page', 'promote' => 1)); - $this->assertTrue(node_load($node3->nid), t('Promoted page node created.')); + $node4 = $this->drupalCreateNode(array('type' => 'page', 'promote' => 1)); + $this->assertTrue(node_load($node4->nid), t('Promoted page node created.')); // Check to see if grant added by node_test_node_access_records was altered // by node_test_node_access_records_alter. - $records = db_query('SELECT realm, gid FROM {node_access} WHERE nid = %d', $node3->nid)->fetchAll(); + $records = db_query('SELECT realm, gid FROM {node_access} WHERE nid = %d', $node4->nid)->fetchAll(); $this->assertEqual(count($records), 1, t('Returned the correct number of rows.')); $this->assertEqual($records[0]->realm, 'test_alter_realm', t('Altered grant with alter_realm acquired for node.')); $this->assertEqual($records[0]->gid, 2, t('Altered grant with gid = 2 acquired for node.')); Index: modules/system/system.install =================================================================== RCS file: /cvs/drupal/drupal/modules/system/system.install,v retrieving revision 1.349 diff -u -p -r1.349 system.install --- modules/system/system.install 30 Jun 2009 17:15:09 -0000 1.349 +++ modules/system/system.install 1 Jul 2009 06:39:06 -0000 @@ -2226,6 +2226,21 @@ function system_update_7028() { /** + * Add new 'view own unpublished content' permission for authenticated users. + * Preserves legacy behavior from Drupal 6.x. + */ +function system_update_7029() { + $ret = array(); + db_insert('role_permission') + ->fields(array( + 'rid' => DRUPAL_AUTHENTICATED_RID, + 'permission' => 'view own unpublished content', + )) + ->execute(); + return $ret; +} + +/** * @} End of "defgroup updates-6.x-to-7.x" * The next series of updates should start at 8000. */ Index: profiles/default/default.profile =================================================================== RCS file: /cvs/drupal/drupal/profiles/default/default.profile,v retrieving revision 1.51 diff -u -p -r1.51 default.profile --- profiles/default/default.profile 27 Jun 2009 17:32:00 -0000 1.51 +++ profiles/default/default.profile 1 Jul 2009 06:39:06 -0000 @@ -230,6 +230,14 @@ function default_profile_tasks(&$task, $ ))->execute(); } + // Add 'view own unpublished content' permission for authenticated users. + db_insert('role_permission') + ->fields(array( + 'rid' => DRUPAL_AUTHENTICATED_RID, + 'permission' => 'view own unpublished content', + )) + ->execute(); + // Update the menu router information. menu_rebuild();