By default, any user with "administer nodes" permission should be able to upload/manage images attached to galleries. Currently, they must be granted permission to edit/delete the node-types specifically. This is unexpected behavior.

Comments

dddave’s picture

dddave CreditAttribution: dddave commented

To clarify:

Administer nodes should only allow to manage unprotected galleries, shouldn't it? Perhaps also private galleries but password protected galleries should be excluded in my opinion.

To manage galleries protected in such a way the proper permission (edit password protected galleries without a password) is yet to be introduced here: #612122: node_gallery_access doesn't let users with 'access protected contents' or 'edit protected contents' view password galleries

kmonty’s picture

kmonty
Location San Francisco, CA
CreditAttribution: kmonty commented

Gallery Access can implement its own permissions, but core NG will allow editing/managing/uploading for all NG nodes.

I think the problem is that there is an assumption that goes with the "administer nodes" permission. Here is the thing: with organizations that have staffs the size of 75 people, not everyone can have access to user 1, yet they may have multiple super administrator. They super administrators will generally assume that administer nodes gives them the ability to do anything to any node. Does the password protection of a user trump an administrator's duties? It's a tough call. Not necessarily sure what is right.

In general, I support the permissions as they are outlined in the #612122: node_gallery_access doesn't let users with 'access protected contents' or 'edit protected contents' view password galleries thread.

justintime’s picture

justintime CreditAttribution: justintime commented

From http://www.zivtech.com/blog/drupal-node-access-explained-0

Users with permission to 'administer nodes' are never restricted by node access modules. Users who do not have permission to 'access content' will never gain access from a node access module. Only users who have 'access content' and not 'administer nodes' are eligible for the wild world of node access module control.

While that isn't gospel, I read that blog quite a bit, and they're pretty spot on most of the time. This bug actually touches NG core, as well as NGA. I'll incorporate this bug into #612122: node_gallery_access doesn't let users with 'access protected contents' or 'edit protected contents' view password galleries, but we'll also need to patch NG core as well.

dddave’s picture

dddave CreditAttribution: dddave commented

I also think that "administer nodes" should be handled consistently and ng shouldn't introduce something special.

About the patch:

At the moment administer nodes allows to access the gallery node's edit screen and and the edit screens of the images. Still needed are the "manage" and "upload" links to be visible and accessible for such users.
Is this understanding correct?

kmonty’s picture

kmonty
Location San Francisco, CA
CreditAttribution: kmonty commented

@dddave You are correct

kmonty’s picture

kmonty
Location San Francisco, CA
CreditAttribution: kmonty commented
Status: Active » Fixed

Fixed committed to dev.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.