permissions bug and tokens in permission names [#917360]

for links like node/nid/delete if viewer permission is set to 'delete any content' and author permission is set to 'delete own content' no links are displayed for author, because viewer permission check is first and since it is rarely same user has permission to delete own content AND delete any content, no links are displayed.

idea is to check for author OR viewer permission, not author AND viewer permission.

i'm on it.

Comment	File	Size	Author
#4	custom_links-fix_permissions_token_support-917360-2.patch	1.12 KB	mansspams
#3	custom_links-fix_permissions_token_support-917360.patch	1.11 KB	mansspams
#2	custom_links-fix_permissions_token-support-#917360.patch	1.11 KB	mansspams

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

mansspams CreditAttribution: mansspams commented 20 September 2010 at 19:23

no, we just have to check if user is author or not, looks like an easy fix.

Comment #2

mansspams CreditAttribution: mansspams commented 20 September 2010 at 23:06

Title:	permissions bug	» permissions bug and tokens in permission names
Status:	Active	» Needs review

File	Size
custom_links-fix_permissions_token-support-#917360.patch	1.11 KB

This patch will 1) fix permission bug 2) add token support for permission names. Making 2 fixes in same patch, because same code are responsible for both issues.

Bug was that code worked in viewer and author cases, but broke when viewer and author were same user. Now viewer permissions are checked seperatly - only for viewer if user is viewer (or 'NOT author' since there are only two cases) and only for author if user is author.