If we have:

- a global flag, which role R doesn't have access to
- a node type, which role R may create
- the flag is set (in the node type settings) to be set by default

then when a user with role R creates a node, the flag is not set.

I spotted this while looking at #1878808: remove $account parameter from flag_get_flags(). The problem is basically that when we first fetch all flags, we limit by what the current user has access to. This means that the logic to set the default value in a hidden form element (because the current user doesn't have access) is completely ineffectual, as it never gets to fire.

CommentFileSizeAuthor
#2 1882006.flag_.global-default-new-nodes.tests-only.patch4.88 KBjoachim
#2 1882006.flag_.global-default-new-nodes.patch6.82 KBjoachim
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

joachim’s picture

joachim CreditAttribution: joachim commented

Ugh, the break goes further than just that bit.

Even if I remove the passing of the $user param to flag_get_flags(), the flag is not set, because flag_field_attach_save(), which handles saving of flags for all edit forms, causes the usual flag access checks to happen:

    flag($state ? 'flag' : 'unflag', $flag_name, $id);

and hence because the current user can't use the flag, the access checks inside the flag handler return FALSE and nothing happens.

A bit of issue queue & git archaeology shows that:

1. this was originally fixed / implemented in #320276: Respect flag defaults on node/add forms regardless of permission, where hook_nodeapi() was changed to pass the $skip_permission_check parameter when flagging. However, this uses flag(), which at that commit DID NOT receive the extra parameter -- so AFAICT, the fix in fact didn't work.
2. it was then (further) broken by #1149496: Flagging on node form checks perms of node author - should check perms of active user, which removed the passing of the $skip_permission_check parameter (which was doing nothing anyway). This commit is only on 6x2x, however the (not very helpful) dump commit c36124e then puts all of 6x2x on 7x2x.

joachim’s picture

joachim CreditAttribution: joachim commented
Status: Active » Needs review
FileSize
1882006.flag_.global-default-new-nodes.patch6.82 KB
1882006.flag_.global-default-new-nodes.tests-only.patch4.88 KB

Tests + full patch.

joachim’s picture

joachim CreditAttribution: joachim commented
Status: Needs review » Fixed

Patches test results are as expected; committing.

Issue #1882006 by joachim: Fixed flag defaults not respected on node add form if creating user doesn't have access.

joachim’s picture

joachim CreditAttribution: joachim commented
Version: 7.x-3.x-dev » 7.x-2.x-dev
Status: Fixed » Patch (to be ported)
joachim’s picture

joachim CreditAttribution: joachim commented
Issue summary: View changes

added detail

  • joachim committed df5700f on 8.x-4.x 
    Issue #1882006 by joachim: Fixed flag defaults not respected on node add...