Only the root (uid=1) user can publish using the blogapi. Every other user I've tried gets this error:

You do not have permission to create the type of post you wanted to create

same error in ecto, w.bloggar and performancing.

Error occurs with different node types (eg. blog entry, story).

I've made sure the users have the following permissions:

edit own blog
create stories
edit own stories

In blogapi.module, the pertinent block seems to be line 222:

  if (!node_access('create', $node)) {
    return blogapi_error(t('You do not have permission to create the type of post you wanted to create.'));
  }

What does node_access('create', $node) mean?

CommentFileSizeAuthor
#11 56016.patch.txt582 bytesdopry
#4 56016.patch610 bytessamc
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

samc’s picture

samc CreditAttribution: samc commented

Hmmm. I've been using w.bloggar pretty regularly without seeing this problem, but I may be on a slightly different version.

Have you enabled the node types on the blogapi settings page? Are you using MovableType for the XML-RPC engine?

The node_access function is described here: http://api.drupal.org/api/HEAD/function/node_access.

smokey-1’s picture

smokey-1 CreditAttribution: smokey-1 commented

I haven't tried blogapi.module on any other drupal version (only 4.7-beta6), so I guess I'll try it a different version.

And yes, I have the content types selected on the blogapi configuration page. I thought it might have just been a blog entry problem, so I tried the other content types... no luck.

On the plus side, when I enable the other content types on the blogapi config page, I can see the different "blogs" from the external client. Incidentally, the other functions seem to be working fine -- ie. from the weblog client, I can see previous posts, different content types as separate "blogs". Just fails when posting as a non-root user.

I'll test it on a 4.6 installation.

smokey-1’s picture

smokey-1 CreditAttribution: smokey-1 commented

Are you using MovableType for the XML-RPC engine?

BTW, I've read about this requirement somewhere else on the internet.... What's the reasoning behind this requirement? (Is there already a page/thread about this somewhere you can point me to?)

Thanks!

samc’s picture

samc CreditAttribution: samc commented
Priority: Normal » Critical
Status: Active » Needs review
FileSize
56016.patch610 bytes

Ok. I've created a fresh install and confirmed this issue on HEAD. Turns out there is a bug in line 222 that is not seen if the user in question has "administer nodes" permission. (Which is why I hadn't seen it before.)

  if (!node_access('create', $node)) {
    return blogapi_error(t('You do not have permission to create the type of post you wanted to create.'));
  }

should read

  if (!node_access('create', $edit)) {
    return blogapi_error(t('You do not have permission to create the type of post you wanted to create.'));
  }

I've attached a patch and updated the issue status accordingly.

Note that once you get past here, you'll likely run into this issue (#53834), caused by a bug in the same code. If you do, there's a patch to apply. (If you don't, let me know!)

smokey-1’s picture

smokey-1 CreditAttribution: smokey-1 commented

Works beautifully!

Thanks Sam!

smokey-1’s picture

smokey-1 CreditAttribution: smokey-1 commented

Note that once you get past here, you'll likely run into this issue (#53834), caused by a bug in the same code. If you do, there's a patch to apply. (If you don't, let me know!)

BTW... No, I don't see this error.

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Status: Needs review » Reviewed & tested by the community

Not sure about #53834, but this is obviously a bug now that it's pointed out. And this is an obvious fix.

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Status: Reviewed & tested by the community » Needs review

Actually killes points out to me that node_access('create',) takes a different parameter, and this may not be RTBC.

scroogie’s picture

scroogie CreditAttribution: scroogie commented

What different parameter?
Imho it takes a string, an array of nodes or a single node object. If the parameter is a string, its value is used as a type, if its an array, its values are used as node objects. If its an object, it is used as a node object.

dopry’s picture

dopry CreditAttribution: dopry commented

node_access expects the node type on op create, not a node array. Its only documented in hook_access though...

dopry’s picture

dopry CreditAttribution: dopry commented
FileSize
56016.patch.txt582 bytes

Well here is an update version.. to make node_access happy....

killes@www.drop.org’s picture

killes@www.drop.org CreditAttribution: killes@www.drop.org commented

applied

samc’s picture

samc CreditAttribution: samc commented

Not fully understanding the issue w/ the type. Is there an easy explanation?

Is the implication that the docs for node_access are incorrect?

Is the $node parameter in the function poorly named? 

function node_access($op, $node = NULL, $uid = NULL)
killes@www.drop.org’s picture

killes@www.drop.org CreditAttribution: killes@www.drop.org commented
Status: Needs review » Fixed

the docs are quite right:

* @param $op
* The operation to be performed on the node. Possible values are:
* - "view"
* - "update"
* - "delete"
* - "create"
* @param $node
* The node object (or node array) on which the operation is to be performed,
* or node type (e.g. 'forum') for "create" operation.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)