i recognized a strange behaviour on my site with contact_manager. users, who don't have the "administer nodes" permission, but all "contact_manager-module" and connected field permissions always get an "access denied" error, when trying to access a contact_manager node page. the funny thing is, that although not allowed to view the node, they are able to edit it.

to alter that module-behaviour i applied the following patch:

--- contact_manager.module.orig 2009-09-25 22:35:30.000000000 +0200
+++ contact_manager.module      2009-12-18 17:46:55.000000000 +0100
@@ -151,6 +151,7 @@ function contact_manager_nodeapi(&$node,
       if ($node->type == 'contact_manager' &&
           $node->uid != $user->uid &&
           !user_access('administer nodes') &&
+          !node_access('view', $node, $user) &&
           !_contact_manager_is_cron_running()) {
         drupal_access_denied();
         exit;

Comments

darren.ferguson’s picture

darren.ferguson commented
Priority: Critical » Normal
Status: Active » Closed (fixed)

Issue has been looked at and patch has been accepted, this is now in the 6.x-1.x-dev branch for the module.

http://drupal.org/cvs?commit=344698

jday’s picture

jday commented

I just updated my drupal site with the new .dev version but users are still only able to see contacts they have created at '...contact_manager/list'

users have administer nodes and all contact manager permissions but only user1 can see all contact_manager nodes, if a user has not created a contact node the contact_manager/list view is blank.