Content type restriction is not respected

Here's a patch.

• Move validation to the validation function.
• Use form_set_error to inform the user what went wrong.
• Replace entire form during AJAX event to allow form_set_error to work properly. This allows the form to even work without AJAX.
• Add a validation function that checks the node type.

By the way there is a comment that says:

It seems silly to re-query the titles every time. is there another way...?

It's not silly, since $form_state is saved in the database in any case. So just saving the $nid somewhere in $form_state and then using node_load() or some other query is perfectly acceptable.

Silly me! I forgot two lines in the patch. Here's a new one.

Yes, you are right. I was working against the clock while making this patch, sorry.

I would add "return" after the first form_set_error, too, and move node_load to below the first if statement. It seems more consistent that way.

There is still a problem when we try to remove the permissions from the users, since the same validation function runs when any button is clicked. Here I added a conditional to run validation only when the relevant button was clicked.

This patch is against the latest dev version, not against 7.x-1.2

My patches were much worse than I thought... You can't add more than one node on the user page. I'll look into it soon.

OK, I ran into this before. We should use drupal_html_id to generate a unique ID for the AJAX replace wrapper, and then store it in form_state. What happened was that every time the form is replaced, the ID changed. Now only the wrapper inside the form is replaced. The wrapper contains the table and the textfield, but not the buttons.

Patch at comment #13 seems to work fine when applied to the latest 7.x-1.x-dev version. I'll do some more testing with real users soon.

The 7.x-1.x-dev version is broken since commit https://cgit.drupalcode.org/flexiaccess/commit/?id=3ea7e94f49158247f7479... , which is my fault.