By charles belov on

How do I split the publishing options permission from the administer nodes permission?

Staff users have permission to create, edit and delete some content types and not others. I granted them permission to edit and delete content created by other staff, not just their own, under those specific content types.

If staff is granted Administer Nodes permission, they get Publishing Options when editing. However, when they click the Create Content link, Drupal offers them all content types, not just the content types that staff has permission to create. Attempts to create such unauthorized content fails, but I don't want them offered the ability to create such content in the first place.

If staff is not granted Administer Nodes permission, then when they click the Create Content link, Drupal offers them only the content types that staff has permission to create. However, they then do not get Publishing Options when editing a permitted content-type node.

How do I give staff Publishing Options when editing a content type they are permitted to edit but only show them those content types they have permission to create when they click Create Content?

Categories: Drupal 6.x

Comments

nevets’s picture

nevets commented

I believe Override Node Options will do the trick.

vako’s picture

vako commented

I'm surprised that this flaw exists in Drupal 6 !! it's common sense that you don't have to allow users to administer all content types but to be able to publish the ones they are allowed to administer.
Surely there must be a solution without having to install extra modules....??

please help, this is an urgent security issue.

ayesh’s picture

ayesh commented

As far as I know, there is no built in way to do this.

Ultimately all we need to alter is ,
- allowing users to see thier own content,
- allowing users to edit their own content,
- and publishing their own content. (currently only admins can do).

"administer own nodes" permission.
Not sure if there is a module exists for that though.

What's new and changing in PHP 8.4

vako’s picture

vako commented

OK. So how can we provide a user access to create a specific content type and publish it himself/herself, without exposing all other content types to him/her?

frazras’s picture

frazras commented

Try the Publish Content Module http://drupal.org/project/publishcontent or anything else mentioned here: http://drupal.stackexchange.com/questions/193/how-do-i-let-users-unpubli...

"I would rule the world - If only I had the source code"
R.A.Smith -- "ƒrÅzRâ§"
http://www.exterbox.com

vako’s picture

vako commented

Thanks for the links, but they don't solve the issue.
I think we have a major bug in Drupal, surprised that it's not been considered as a critical issue!!
It's hard to explain but once you understand, then it can be reproduced on any system and it is MAJOR!!

joel_osc’s picture

joel_osc commented

I ran into this recently in D7 and the Override Node Options module worked great. Thanks @nevets.

www.openplus.ca

vako’s picture

vako commented

Yes, I agree, the Override Node Options module works also in D6.
Wish it can be adopted in Drupal Core.

x.meglio@gmail.com’s picture

x.meglio@gmail.com commented

Has this issue been solved in Drupal 8?

lomale@bluewin.ch’s picture

lomale@bluewin.ch commented

this seems a very important issue to me. how can I do that. where in rights is that implemented in Drupal 8.6.1.

I do not want to give full permission to my staff

thanks for reply.

vako’s picture

vako commented

Use the Override Node Options module.