Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.to recreate:
- create two uses, one without administer node privileges
- edit e.g. page.module to give user2 permission to edit a page node type
- create a page node as user1, then edit it as user2
- the node should keep user1 as its author, but instead it changes to user2
I believe this occurs because in node.module around line 1717 the $form['author'] stuff is only shown if user_access('administer nodes') == true. user2 doesn't have that privilege, thus the form fields are never set for them, and hence they get changed to user2 when user2 submits.
My suggestion at a patch would be to add something like this after the if loop:
else {
$form['author']['name'] = array('#type' => 'value', '#value' => $node->name);
}
No time to try to make a patch right now, but hopefully this will help someone else look into it.
If this isn't actually a bug and is in fact the desired functionality +1 from me to get rid of it! The author of a node shouldn't change just because its edited by someone else.
Jake.
| Comment | File | Size | Author |
|---|---|---|---|
| #19 | node-edit-author_2.patch | 2.04 KB | merlinofchaos |
| #14 | node-edit-author_1.patch | 2.13 KB | merlinofchaos |
| #12 | node-edit-author_0.patch | 2.14 KB | merlinofchaos |
| #10 | node-edit-author.patch | 2.58 KB | merlinofchaos |
Comments
Comment #1
jakeg CreditAttribution: jakeg commentedNOTE: to reproduce its crucial that the user that edits the node does NOT have administer nodes privileges, but can edit the node. e.g. to do this, edit hook_access in page.module to return true under op 'edit'
Comment #2
jakeg CreditAttribution: jakeg commentedprobably related to http://drupal.org/node/44598
Comment #3
jakeg CreditAttribution: jakeg commentedalso http://drupal.org/node/5128
Comment #4
jakeg CreditAttribution: jakeg commentedok, so that last link is quite old, sorry
Comment #5
Zen CreditAttribution: Zen commentedJust a note that the OP fails to clarify that this is something that fails when a contrib module is in effect. This could well be a valid issue, but I have not been able to duplicate this in a clean core install - downgrading to normal.
-K
Comment #6
jakeg CreditAttribution: jakeg commentedAgreed, but this is for any contributed module which allows users to edit a node without giving them the catch-all administer_nodes permission.
I think it may also apply to book.module, which is a core module.
I would argue for this reason that it is a critical bug.
Comment #7
deekayen CreditAttribution: deekayen commentedHaving to edit the source to create a bug doesn't qualify as a critical bug. I say not only is it not critical, but if it's a contrib problem, file the report with the affected contribs.
FYI, book.module has its own permission item for creating book pages, which doesn't seem to clash with the administer nodes (e.g. having administer nodes permission doesn't let you create/edit book pages).
Comment #8
cog.rusty CreditAttribution: cog.rusty commentedI understand that there may be different opinions as to whether this is critical or a bug at all (myself, I believe it is both) but marking it as 'won't fix' is a bit too drastic.
This issue makes it hard for contributed modules to offer useful functionality such as partial moderation without 'administer nodes' permission for all nodes. I don't see any reason for the current behavior, that's why it looks like a bug to me.
Comment #9
Zen CreditAttribution: Zen commentedComment #10
merlinofchaos CreditAttribution: merlinofchaos commentedOk, I believe this actually is a critical bug, as it breaks a Drupal feature. It's just a drupal feature that's a little hard to actually see, because core Drupal doesn't take advantage of it without an external module. In order to justify this stance, let me go back and define the scenario under which this causes problems.
If I am using a node_access based module--any node_access based module--and I give a user the right to edit a node that user does not own, but I do not give the user 'administer nodes' privileges, that user cannot effectively edit the node without taking ownership of it. It affects more than just the author, it also affects all flags such as revision, promoted to front page, sticky and moderated. Meaning if my user with editing privileges edits it, it may actually return to moderation if that's the default.
The problem is simply that this information is not preserved. In previous versions of Drupal, this was extremely difficult to preserve. [Note: Actually, after reading the code, it wasn't; node_save is smart enough to fill in missing information from the original node without doing any work at all, and all that had to be done was simply leave the information OUT.]
This patch ensures that all of the information is added to the node form via #type => value, meaning that it is never visible to the end user. This information is then simply passed through the form and written.
Adding this allowed the removal of a certain level of validation for non administrative users, since now we have guaranteed the required information will always be present.
To test this patch: You'll need to edit your code, or use any external module. The easiest one is node_privacy_by_role but if you happen to already have one set up in your test environment, great. If you don't have one set up and don't want the hassle that npbr will cause, try my node access arbitrator module.
In any case, to test the patch, give a non-administrative user permission to edit your node. Pre-patch, upon saving the node the node author and all node flags will revert to defaults. (As will the creation date). Post-patch: these values will be preserved. This patch should not affect other editing configurations, but obviously these should be tested to make sure.
Comment #11
merlinofchaos CreditAttribution: merlinofchaos commentedComment #12
merlinofchaos CreditAttribution: merlinofchaos commentedReduced a little code by using a loop in this version of the patch.
Comment #13
chx CreditAttribution: chx commentedWhat a nice patch!
Comment #14
merlinofchaos CreditAttribution: merlinofchaos commented6 character edit on patch to remove erroneous 'date' field from the loop. 'created' supercedes it; 'date' is a string that is only translated back to a time if the user has administer node privs.
Comment #15
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI am a bit confused by this patch. The code it removes does somethign based on the options set for the node type while the added code does not. Can somebody elaborate?
Comment #16
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedI am a bit confused by this patch. The code it removes does somethign based on the options set for the node type while the added code does not. Can somebody elaborate?
Comment #17
merlinofchaos CreditAttribution: merlinofchaos commentedThe code I removed forced all of the node options (promote, sticky, revision, etc) back to their defaults if anon-admin user was the one editing the node. With the new patch, those options remain where they were.
Comment #18
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedYeah, that's what I thought. This means we change this behaviour. Not a good idea this late in the release cycle.
Comment #19
merlinofchaos CreditAttribution: merlinofchaos commentedAll right. I'm not happy about it, but here is a patch that only preserves the author and the creation time of the node.
Comment #20
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedapplied
There was a considerable amount of discussion involved in chosing the workflow as it is now. I don't have a personal opinion on this, but I felt it btter not to mess with it now.
Comment #21
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedComment #22
(not verified) CreditAttribution: commented