Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center._node_revision_access() in node.module is used to check whether or not someone should have access to delete, revert or view a revision.
I found this issue when trying to troubleshoot #2028303: Delete revisions link appears when user does not have delete revisions permission.
There are permissions that are installed in D7 for each of these tasks:
- View content revisions
- Revert content revisions
- Delete content revisions
However the Administer Content role is given god status over all of these in _node_revision_access().
The main issue here is that the Administer Content permission is providing more access than expected.
I'd propose that this could be fixed in one of two ways:
- Remove the code :
<?php elseif (user_access('administer nodes', $account)) { $access[$cid] = TRUE; }?>from node.module and let the specific revision permissions do their thing.
- Add additional help text to either the Administer Content permission or to the Revisions permissions. Perhaps it could say "This will have no affect if a role also has the Administer Content permission."
The second option is probably more plausible. Thoughts?
Comments
Comment #1
marblegravy CreditAttribution: marblegravy commentedHere's a good example of the melting pot of misc permissions that are tied in to the Administer Content permission.
It's required in order to allow users to promote content to the homepage or make content sticky.
However turning it on allows those same editors to delete revisions which I don't want.
Is this going to be an ongoing issue in D8 or has this been rewritten?
Comment #1.0
marblegravy CreditAttribution: marblegravy commentedcleaned up formatting, added reference to original issue