Index: modules/node/node.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.admin.inc,v retrieving revision 1.60 diff -u -p -r1.60 node.admin.inc --- modules/node/node.admin.inc 30 Jul 2009 19:24:21 -0000 1.60 +++ modules/node/node.admin.inc 15 Aug 2009 22:33:11 -0000 @@ -397,7 +397,9 @@ function node_admin_nodes() { // Build the sortable table header. $header = array(); - $header[] = theme('table_select_header_cell'); + if (user_access('administer nodes') && user_access('bypass node access')) { + $header[] = theme('table_select_header_cell'); + } $header[] = array('data' => t('Title'), 'field' => 'n.title'); $header[] = array('data' => t('Type'), 'field' => 'n.type'); $header[] = array('data' => t('Author'), 'field' => 'u.name'); @@ -414,14 +416,25 @@ function node_admin_nodes() { ); $query = db_select('node', 'n')->extend('PagerDefault')->extend('TableSort'); - $query->join('users', 'u', 'n.uid = u.uid'); node_build_filter_query($query); - $result = $query + // If the user is able to view their own unpublished nodes, allow them + // to see these in addition to published nodes. Check that they actually + // have some unpublished nodes to view before adding the condition. + if (!user_access('bypass node access') && user_access('view own unpublished content') && $own_unpublished = db_query('SELECT nid FROM {node} WHERE uid = :uid AND status = 0', array(':uid' => $GLOBALS['user']->uid))->fetchCol()) { + $query->condition(db_or()->condition('n.status', 1)->condition('n.nid', $own_unpublished, 'IN')); + } + // If not, restrict the query to published nodes unless the user has the + // bypass node access permission. + else if (!user_access('bypass node access')) { + $query->condition('n.status', 1); + } + + $nids = $query ->fields('n') - ->fields('u', array('name')) ->limit(50) - ->execute(); + ->execute()->fetchCol(); + $nodes = node_load_multiple($nids); // Build the 'Update options' form. $form['options'] = array( @@ -429,6 +442,7 @@ function node_admin_nodes() { '#title' => t('Update options'), '#prefix' => '
', '#suffix' => '
', + '#access' => user_access('administer nodes') && user_access('bypass node access'), ); $options = array(); foreach (module_invoke_all('node_operations') as $operation => $array) { @@ -447,9 +461,9 @@ function node_admin_nodes() { $languages = language_list(); $destination = drupal_get_destination(); - $nodes = array(); - foreach ($result as $node) { - $nodes[$node->nid] = ''; + $nids = array(); + foreach ($nodes as $node) { + $nids[$node->nid] = ''; $options = empty($node->language) ? array() : array('language' => $languages[$node->language]); $form['title'][$node->nid] = array('#markup' => l($node->title, 'node/' . $node->nid, $options) . ' ' . theme('mark', node_mark($node->nid, $node->changed))); $form['name'][$node->nid] = array('#markup' => check_plain(node_type_get_name($node))); @@ -459,11 +473,12 @@ function node_admin_nodes() { if ($multilanguage) { $form['language'][$node->nid] = array('#markup' => empty($node->language) ? t('Language neutral') : t($languages[$node->language]->name)); } - $form['operations'][$node->nid] = array('#markup' => l(t('edit'), 'node/' . $node->nid . '/edit', array('query' => $destination))); + $form['operations'][$node->nid] = array('#access' => node_access('update', $node), '#markup' => l(t('edit'), 'node/' . $node->nid . '/edit', array('query' => $destination))); } $form['nodes'] = array( '#type' => 'checkboxes', - '#options' => $nodes, + '#options' => $nids, + '#access' => user_access('administer nodes') && user_access('bypass node access'), ); $form['pager'] = array('#markup' => theme('pager', NULL)); $form['#theme'] = 'node_admin_nodes'; @@ -529,7 +544,9 @@ function theme_node_admin_nodes($form) { $rows = array(); foreach (element_children($form['title']) as $key) { $row = array(); - $row[] = drupal_render($form['nodes'][$key]); + if (user_access('administer nodes') && user_access('bypass node access')) { + $row[] = drupal_render($form['nodes'][$key]); + } $row[] = drupal_render($form['title'][$key]); $row[] = drupal_render($form['name'][$key]); $row[] = drupal_render($form['username'][$key]); @@ -599,4 +616,4 @@ function node_multiple_delete_confirm_su function node_modules_installed($modules) { // Clear node type cache for node permissions. node_type_clear(); -} \ No newline at end of file +} Index: modules/node/node.module =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.module,v retrieving revision 1.1099 diff -u -p -r1.1099 node.module --- modules/node/node.module 14 Aug 2009 13:53:01 -0000 1.1099 +++ modules/node/node.module 15 Aug 2009 22:33:14 -0000 @@ -1285,6 +1285,10 @@ function node_permission() { 'title' => t('Bypass node access'), 'description' => t('View, edit and delete all site content. Users with this permission will bypass any content-related access control. %warning', array('%warning' => t('Warning: Give to trusted roles only; this permission has security implications.'))), ), + 'access content overview' => array( + 'title' => t('Access content overview'), + 'description' => t('Access the content overview page.'), + ), 'view revisions' => array( 'title' => t('View revisions'), 'description' => t('View content revisions.'), @@ -1645,7 +1649,7 @@ function node_menu() { 'title' => 'Content', 'page callback' => 'drupal_get_form', 'page arguments' => array('node_admin_content'), - 'access arguments' => array('administer nodes'), + 'access callback' => 'node_admin_page_access', 'weight' => -10, ); $items['admin/content/node'] = array( @@ -3150,3 +3154,10 @@ function node_requirements($phase) { ); return $requirements; } + +/** + * Checks whether the current user has access to the content list page. + */ +function node_admin_page_access() { +return user_access('administer nodes') || user_access('access content overview'); +} Index: modules/node/node.test =================================================================== RCS file: /cvs/drupal/drupal/modules/node/node.test,v retrieving revision 1.38 diff -u -p -r1.38 node.test --- modules/node/node.test 28 Jul 2009 19:18:06 -0000 1.38 +++ modules/node/node.test 15 Aug 2009 22:33:15 -0000 @@ -362,6 +362,47 @@ class PageViewTestCase extends DrupalWeb } } +/** + * Test the functionality of the administer content page. + */ +class ContentAdminTestCase extends DrupalWebTestCase { + public static function getInfo() { + return array( + 'name' => t('Content administration overview'), + 'description' => t('Create users and content to test the content admin pages functionality.'), + 'group' => t('Node'), + ); + } + + function setUp() { + parent::setUp(); + $this->admin_user = $this->drupalCreateUser(array('access administration pages', 'administer nodes', 'bypass node access')); + $this->base_user = $this->drupalCreateUser(array('access content overview')); + } + + /** + * Ensure that both administrative users and basic content editors have + * access to the appropriate functionality on the node administration page. + */ + function testContentAdminPages() { + $this->drupalLogin($this->admin_user); + + // Ensure the admin user can edit any content. + $created_node = $this->drupalCreateNode(array('type' => 'page')); + $this->drupalGet('admin/content/node'); + $this->assertResponse(200); + $this->assertText('edit', t('Admin user has edit link.')); + $this->drupalLogout(); + + // Ensure users don't see edit links for content they don't have rights to edit. + $this->drupalLogin($this->base_user); + $this->drupalGet('admin/content/node'); + $this->assertResponse(200); + $this->assertText($created_node->title, t('Edit links disabled without edit permissions.')); + $this->assertNoText('edit', t('Edit links do not show up for users without rights.')); + } +} + class SummaryLengthTestCase extends DrupalWebTestCase { public static function getInfo() { return array(