For my use case I needed specific functionality to allow granting permissions for just a single role. Every other role would be untouched by nodeaccess.
So user with this new specific role can be granted the edit permission to edit certain pages, without allowing them anything else.
I've made quite a few modifications to this module to make it work. Some of the added functionality might be of use for other people. Therefore I'm throwing my patch here. But as a whole it might not (yet) be suitable for inclusion in the module.
I'll put the patch and a changelog in the first comment below.
Remaining tasks
If there's a desire from the wider community of users of nodeaccess to add any or all functionality to the module, remaining tasks -- in no particular order / either of these could happen first:
- Discuss and decide which pieces to add to module.
- Break out pieces into child issues.
| Comment | File | Size | Author |
|---|---|---|---|
| #13 | interdiff_9-13.txt | 418 bytes | joshahubbers |
| #13 | nodeaccess-limited_to_role-2979082-13.patch | 19.13 KB | joshahubbers |
Comments
Comment #2
paulvandenburg commentedThe mentioned patch and changelog:
Maybe I'll come back to this someday and split it in nice separated patches, but not today.
Comment #4
ruudvanoijen commentedYou've added a check for operation view and status. However this check can be removed and the return can be placed in the switch case
You only want to return something here if it is relevant to that role.
Comment #5
paulvandenburg commentedYou're right that that access check could be moved to the switch case. However before the switch case there is a quick return for roles which aren't controlled by nodeaccess. As a result those other roles would not receive this access.
But I did discover some other issues. When used in combination with the revisioning module, permission for nodes is not granted when that node is unpublished (e.g. due to a node export/import). The revisioning module did provide an extra access case for this scenario, however it disables that extra case when a module implements hook_node_grants, like this module.
So I've added that extra case to this module as well, when nodeaccess_node_access_records() turns up empty.
Comment #7
paulvandenburg commentedIn light of the recent security advisory, this patch already contains the raised issue in #2979618: Wrong user_access in hook_node_access and #2966820: Wrong user_access check in nodeaccess_node_access()
https://www.drupal.org/sa-contrib-2019-009
Comment #8
alisonNote to revisit, possibly for #3033025: Nodeaccess 7.x-1.7 release.
Comment #9
tvoesenek commentedI've rerolled the patch from #5 against the latest dev.
Comment #10
alisonCool ideas, @paulvandenburg, and thanks for the reroll, @TVoesenek!
Do you two feel like you still want this functionality -- and do you want it for D7, or not really anymore -- or definitely still want it? Just checking! (@TVoesenek are you using the patch on a site, or providing rerolling services? Again, just checking :) )
Initial thoughts, skimming through the changelog comment (awesome -- thanks for writing!), haven't skimmed through code or tested the patch yet:
.............
(Meanwhile, just fyi: I'm going to remove from the "also considering" list for 7.x-1.8, just because it's so much new functionality to consider -- I think if we roll any of it into the module, it'll be in pieces.)
Comment #11
paulvandenburg commented@TVoesenek and I are colleagues and we have this patch running for a few customers. But we are currently in the phase of just maintaining existing functionality. So we still need the patch, but getting it committed is a "nice to have" thing.
I agree the best case scenario would still be splitting it into smaller patches, but with the above in mind I don't think I'll find the time to do so.
For our use case the "preserve hidden grants" and "give node grants priority" are not really relevant. I don't think they really interfere here, but I've not tested it.
To explain our use case:
It is a simplified granting system. Users with role A can grant selected users with role B (or everyone with role B) edit access to specific nodes of certain content types. Role A users are basically the "master editors" who maintain all content. They want to give specific people access to a single or a few pages so they can edit the few pages containing content for their expertise/job. So nodeaccess is only maintaining editting permissions of nodes and only maintaining permissions for users with role B. Only users with role A can edit these grants. Users with role B are generally very limited users who can only edit those specific assigned nodes.
Basically this whole patch revolves around 2 things:
And then some clean up due to the legacy of the module.
Comment #12
alison@paulvandenburg Gotcha, thank you so much for explaining!
I'm doing to say "needs work" b/c if it's going to be committed, it'll be in pieces -- not to oblige y'all to actually do that, just to reflect the status of the issue.
Comment #13
joshahubbers commentedFixed a bug in this patch (#3195324: Column 'uid' in where clause is ambiguous).
Column 'uid' in where clause is ambiguousbecause a condition onuidand not onu.uidis added.Comment #14
d.fisher commentedDrupal 7 security support has ended as of 5 January 2025.
We are doing some housekeeping on the nodeaccess issue queue and moving all Drupal 7 issues to "postponed (maintainer needs more info)". See https://www.drupal.org/project/nodeaccess/issues/3516593.
If this issue persists on the latest dev branch of nodeaccess (2.0.x-dev) then please feel free to comment and we will change the version against this issue. If we do not hear any feedback within 2 weeks (9th October 2025) we will go ahead and close this issue as outdated.
Thank you.
Comment #15
d.fisher commentedAs per the above, as there has been no response we will now close this issue as outdated.
If this issue persists on the latest dev branch of nodeaccess (2.0.x-dev) then please feel free to update the version on this issue and reopen it.
Thank you.