Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By ampp-dev on
Hi everyone -
There seems to be a serious permissions issue that I've spent a long time trying to solve, but with no success, so I'm putting it out to the Drupal community for solutions.
The aim is:
1) Standard users (authenticated, non-admin roles) should only be able to create new content through node/add as themselves. i.e. the Authoring Information is automatically populated with the logged in user's information and they should not be able to alter or amend it.
2) Admins should be able to create new content as anyone by using Authoring Information and typing in the username they want to create content under.
At the moment the node/add form displays Authoring Information and Promotion Settings for all roles, and I can't seem to find a way to hide or disable those by role. I can obviously hide them entirely, with some CSS, but then Admins can't access those options and we can't accomplish point 2 above.
Disabling display author and date information by editing the content type, doesn't help us since we do want to display authoring information on the content post itself, we just want standard users not to be able to amend it to pretend to be someone else. Obviously being able to post as someone else causes a significant security issue.
I would have thought that it's a permissions issue, but there is no node permission to "Create Own" content. Right now standard users have permission to "Create new content", "Edit own content", "Delete own content". Whereas Admins can also "Edit any content" and "Delete any content". So with permissions set up this way, you have a strange situation where a standard user can create content under another user's name, and then not be able to edit or delete it!
I've also looked at various modules to solve the problem, mostly designed to customise the node/add form, but none seem appropriate.
Thanks in advance for any help!
Comments
By default Drupal should
By default Drupal should behave the way you describe.
If users are seeing the vertical tabs, it would imply they have been granted the 'administer nodes' permission.
Yes, you are absolutely right
Yes, you are absolutely right, I should have mentioned that in the original post.
Currently the 'administer content' permission is turned on for one of the standard user roles and I am unable to turn it off - I assume there's a dependency there from another module.
Is there any other way to disable the vertical tabs?
The problem seems to be
The problem seems to be permissions. When I gave "Administer content" on a fresh Drupal install, I was able to reproduce your issue. What access control modules do you have? Such as Content Access or Node Privacy By role etc? One easy way, perhaps is to remove all permissions under the "Node" heading and see if it changes. Then, enable one by one to see which one triggers the issue. If you can provide list of modules you have, I can look further.
Sateesh Nutulapati
Devops Solutions Architect at New Target, Inc.
Thanks NVL Sateesh,
Thanks NVL Sateesh,
I am not running any non-core access modules. I am just using the permissions under the Node module.
I have tried removing all permissions from the Node module, but it's not allowing me to deselect them all - what remains is "Administer Content", which I believe is the problem here. Is it possible that this cannot be deselected due to something dependant on it?
=-=
permissions are not dependent on other permissions.
Go to admin/reports/status
Find the row Node Access Permissions
at the end of the description locate and click the Rebuild permissions permissions link
test
Thanks VMII,
Thanks VMII,
I tried rebuilding node access permissions and I still cannot remove "administer content" from several roles.
Could it be that a module requires this and won't let me remove it?
=-=
I suppose it could be but it is one that I am not immediately aware of considering your statement that there aren't any permissions modules in use.
If it is not allowing you to
If it is not allowing you to deselect, it means that another role that is below this role has that permission and hence the hierarchy. Can you try removing it for all roles starting from the least privileged such as Anonymous, then, Authenticated... Otherwise, try rebuilding node permissions.
Sateesh Nutulapati
Devops Solutions Architect at New Target, Inc.
None of the roles below have
None of the roles below have this permission turned on. I've been able to turn it off for all other roles, but one role will not allow me to turn it off.
did you try rebuilding
did you try rebuilding permissions? also, can you post a screenshot of the permissions page..?
Sateesh Nutulapati
Devops Solutions Architect at New Target, Inc.
Yes, I tried rebuilding the
Yes, I tried rebuilding the permissions but that didn't seem to help.
=-=
images must be uploaded to a photosharing site and linked. They cannot be embedded directly into posts/comments using the editor.
Thanks, didn't realise that.
Thanks, didn't realise that.
Here's the link: http://drive.google.com/uc?export=view&id=0B7PIeljVlHLeSlBQdXFiMC1VeWs