When a role has the "post comments" permission but not the "access comments" permission he will see an "Add new comment" link at the bottom of the node page. It links to #comment-form, but the form is not there, i.e. nothing happens. In D6 the link generates a server hit, but only to show the error message "You are not authorized to view comments."

I don't know if it is intentional that the "access comments" permission prevent posting comments. It seems reasonable that a site admin will allow users to comment on nodes without showing the comments publicly. The error message in D6 doesn't really make sense from an end-user point of view.

This patch allows users to post comments without having permission to view comments.

Files: 
CommentFileSizeAuthor
#22 drupal.comment-permissions.22.patch9.24 KBsun
PASSED: [[SimpleTest]]: [MySQL] 28,805 pass(es). View
#12 drupal.comment-permissions.12.patch9.32 KBsun
PASSED: [[SimpleTest]]: [MySQL] 27,722 pass(es). View
#9 drupal.comment-permissions.9.patch8.58 KBsun
PASSED: [[SimpleTest]]: [MySQL] 25,551 pass(es). View
#6 drupal.comment-permissions.6.patch8.46 KBsun
PASSED: [[SimpleTest]]: [MySQL] 22,642 pass(es). View
#4 drupal.comment-permissions.4.patch8.54 KBsun
FAILED: [[SimpleTest]]: [MySQL] 22,144 pass(es), 1 fail(s), and 0 exception(es). View
#1 comment-permissions-2.patch10.4 KBc960657
PASSED: [[SimpleTest]]: [MySQL] 20,930 pass(es). View
comment-permissions-1.patch10.38 KBc960657
PASSED: [[SimpleTest]]: [MySQL] 20,364 pass(es). View

Comments

c960657’s picture

FileSize
10.4 KB
PASSED: [[SimpleTest]]: [MySQL] 20,930 pass(es). View

Reroll.

aaronbauman’s picture

Initially I got hung up on #438224: "Post comments without approval" permission name is completely misleading, but after enabling the wrongly-named "Post comments with approval" permission that's actually just "Post comments", this patch worked for me.

beejeebus’s picture

sun’s picture

Title: Weird behaviour when role has "post comments" permission but not "access comments" » "post comments" permission does not work without "access comments"
FileSize
8.54 KB
FAILED: [[SimpleTest]]: [MySQL] 22,144 pass(es), 1 fail(s), and 0 exception(es). View

Squeezed a similar fix into #757154: Base form_id via hook_forms() not taken into account for #validate, #submit, hook_form_FORMID_alter(), this issue is a better home.

+++ modules/comment/comment.pages.inc	21 Jun 2010 18:10:38 -0000
@@ -27,79 +27,79 @@
+    elseif (user_access('access content')) {
+      $build['comment_node'] = node_view($node);

This has to invoke node_access() -- overall, that entire logic in comment_reply() scares me a bit. Did you try whether it can be simplified?

Attached is just a re-roll, including tiny adjustment of parentheses in the access condition.

40 critical left. Go review some!

Status: Needs review » Needs work

The last submitted patch, drupal.comment-permissions.4.patch, failed testing.

sun’s picture

Status: Needs work » Needs review
FileSize
8.46 KB
PASSED: [[SimpleTest]]: [MySQL] 22,642 pass(es). View

Re-rolled against HEAD.

sun’s picture

Status: Needs review » Needs work

The "Add new comment" link assertion I removed in #6 is required and needs to be kept, it seems. At least, that link appears without this patch.

effulgentsia’s picture

subscribing

sun’s picture

Status: Needs work » Needs review
FileSize
8.58 KB
PASSED: [[SimpleTest]]: [MySQL] 25,551 pass(es). View

Re-rolled against HEAD.

sun’s picture

Assigned: Unassigned » sun
dww’s picture

Status: Needs review » Needs work

I believe this is a bug:

+    $this->assertFieldByName('comment_body[und][0][value]', '', t('Comment field found.'));

Note: [und] ;)

sun’s picture

Status: Needs work » Needs review
FileSize
9.32 KB
PASSED: [[SimpleTest]]: [MySQL] 27,722 pass(es). View

Well, that's not really related to this patch. Fixed it anyway.

coderintherye’s picture

Status: Needs review » Reviewed & tested by the community

This patch applies cleanly on the latest Drupal HEAD, does exactly what it states it will do, and has no problems found via coder. I tested this on Drupal Head on Oct. 12th, and reversed and reapplied the patch a couple times and tried posting a couple comments as well and found no issues.

Marking RTBC. Please mark back if you find an issue I didn't see.

sun’s picture

sun’s picture

sun’s picture

sun’s picture

Issue tags: +DrupalWTF, +API change

This is 1) a WTF and 2) a tiny API change.

sun’s picture

webchick’s picture

Version: 7.x-dev » 8.x-dev

Sorry, but IMO this represents a behaviour change way after we can make behaviour changes like this. It's not a bad idea, mind you. But invalidates documentation and makes a miniscule API shift for a non-critical bug.

Bumping to 8.x.

sun’s picture

Version: 8.x-dev » 7.x-dev

Comment form on same page. 0 comments exist. View of an anonymous user, having "post comments" but not "view comments" permission:

comment-add-link.png

sun’s picture

FileSize
9.24 KB
PASSED: [[SimpleTest]]: [MySQL] 28,805 pass(es). View
+++ modules/comment/comment.test	7 Oct 2010 18:36:20 -0000
@@ -586,14 +587,14 @@ class CommentAnonymous extends CommentHe
+    $this->assertNoLink('Add new comment', 0, t('Link to add comment was found.'));

assertNoLink() only has two arguments. Fixed in attached patch.

Powered by Dreditor.

sun’s picture

Although this patch can be committed as is, I wanted to mention that it has been merged into #754760: "Add new comment" appears directly above comment form / "post comments" does not work without "access comments" permission, because that patch tests all possible permutations of comment links under all possible conditions.

webchick’s picture

Status: Reviewed & tested by the community » Closed (duplicate)

Let's deal with it over there.