When a user with only permission to create limited node types goes to example.com/node/add, he is shown a list of all node types rather than just the ones he can create.

In the navigation block however, he can only see those types of nodes he can create. Sorry that came out kind of broken, but it's tough to describe. Basically, limited-permission users are given too many unusable options at /node/add

CommentFileSizeAuthor
#1 node_add.patch815 bytesDriesK
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

DriesK’s picture

DriesK CreditAttribution: DriesK commented
Assigned: Unassigned » DriesK
Status: Active » Needs review
FileSize
node_add.patch815 bytes

This is a bug that has been bothering me since long. However, the problem that you describe _only_ happens if the user has the 'administer nodes' permission (if you don't grant 'administer nodes' to the user's role, the page displays as expected).

The reason is the use of node_access(), which first checks 'administer nodes' (and returns TRUE) before checking any other permissions through hook_access. The attached patch calls hook_access() in node_add() instead of node_access().

morisy’s picture

morisy CreditAttribution: morisy commented

Thanks! That's more a dumb mistake on my part than a bug, then ... but you're right, that is kind of annoying. Thanks for the patch.

simon rawson’s picture

simon rawson CreditAttribution: simon rawson commented

+1 for this patch from me

it still applies to latest CVS.

JonBob’s picture

JonBob CreditAttribution: JonBob commented
Status: Needs review » Reviewed & tested by the community

Works like a charm for me.

moshe weitzman’s picture

moshe weitzman CreditAttribution: moshe weitzman commented

this bug is obiovus on scratch.drupal.org if you aren't uid=1 :)

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed. Thanks.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)