"update", "delete" grants for unpublished content depend on "view revisions" permission [#575610]

ugh.. i was so excited when i got to the bottom of the amazing thread at http://drupal.org/node/513078 because i thought for sure my problem had been solved.

i believe i have a nearly identical setup and requirements as indicated in #14 but i'm still getting the "no edit" tab problem indicated in #40

i'm running:
module_grants-6.x-2.x-dev
revisioning-6.x-2.x-dev
workflow-6.x-1.x-dev

node permissions:
author has create article (no revert revisions and no view revisions)
moderator has create article, revert revisions, view revisions

revisioning permissions:
author has access 'Pending' tab, edit revisions, view revisions of own content
moderator has access 'Pending' tab, edit revisions, view revisions of own content, publish revisions

workflow moves from
1.creation
2.draft (per workflow_access only author has view/edit/delete)
3.editing (per workflow_access author has view, moderator has view/edit/delete)
4.published

if an author creates a new node and saves it he then has access to the view/revisions/workflow tabs for the node but NO edit tab.

If i then give author node permissions: "view revisions" the edit tab reappears but these users can now see all revisions on the site (undesired)

help! - really unsure about what to try next - any thoughts??

Comments

Comment #1

BenK CreditAttribution: BenK commented 12 September 2009 at 17:27

Locomo,

I had a disappearing "Edit" tab and it turned out the problem was the input format. If a node was created (or most recently modified) with an input format that the user does not have access to, they "Edit" tab will not appear.

Once I changed the input format to one accessible by all users, the Edit tab suddenly appeared. This appears to a result of Drupal core itself rather than the Revisioning, Module Grants, or Workflow modules.

For more details, see this thread:

http://drupal.org/node/91663

It took me a few frustrating hours to track down this answer!

Hope this helps,
Ben

Comment #2

locomo CreditAttribution: locomo commented 13 September 2009 at 04:24

thanks Ben,

but I double checked the input format and it was actually the system default that all roles have access too.. and either way am getting this behavior immediately after saving a new article on creation.. ie, before even promoting the article to the next state of the workflow, immediately upon saving the node becomes un-editable .. no other user could possibly have modified the node.

i'm really at a loss here about what to try next

i'd be grateful for other ideas

are there any other modules known to conflict with the Revisioning/Module Grants/Workflow setup?

I have organic groups running, but not organic groups access control ...

Comment #3

crea CreditAttribution: crea commented 13 September 2009 at 10:59

You probably need some module that grants access to the author. If you have "edit own [type] content" permission disabled, then by default author won't be able to edit, unless there is access control module granting edit access.

Comment #4

locomo CreditAttribution: locomo commented 13 September 2009 at 19:49

Thanks Crea.

Yes, I do have "edit own [type] content" permission disabled.

I'm using Workflow with workflow access enabled and configured along with Module Grants and Revisioning

It was my understanding that this combo of modules should work to grant access to the author. Am I misunderstanding something?

When I give my author role "View Revisions" on the node module the author does in fact have edit access, but then has the undesirable ability to see revisions of all content across the site. When "View Revisions" is not ticked, edit access of nodes he's authored is disabled, but the author can STILL see a revisions tab for content he is authoring (desired behavior) and he can no longer see a revisions tab for other content (desired behavior).

Comment #5

crea CreditAttribution: crea commented 21 September 2009 at 03:18

Strange.. What you describe looks like bug. It's not intended behavior, edit permissions should not mess with "view revisions" permission. I'm going to setup similar workflow on my site soon, and will check if it works for me.

Comment #6

locomo CreditAttribution: locomo commented 23 September 2009 at 04:23

thanks crea - i really appreciate it!

Comment #7

savioret CreditAttribution: savioret commented 24 September 2009 at 19:53

The module better formats solves this problem as it doesn't allow administrators using not-allowed formats
http://drupal.org/project/better_formats

Comment #8

locomo CreditAttribution: locomo commented 25 September 2009 at 01:48

thanks birwel,

but i'm not understanding why you think its a format issue.. i'm actually already running better_formats

it seems like my problem has more to do with permissions/access issues ?

Comment #9

savioret CreditAttribution: savioret commented 25 September 2009 at 08:33

I'm talking about my case. In my case :

- An auth user creates a content, he has the "Simple HTML" Input format permission.
- An administrator sets the content Input format to "Extended HTML" (for example) wich is not accessible by auth users. The administrator doesn't know that auth users dont have access to it.
- The auth user wich has the permission for "Simple HTML", tries to edit this content because he owns it.
- He can't edit the content because the Edit Link is not shown. If he tries to edit the node directly using node/123/edit he get an "access denied" message.

With better formats you can set the allowed input formats per node type, and when editing a node, you won't be able to set non-allowed formats even if you are an administrator, and this solves that problem.

Maybe there are some other cases that make dissapear the Edit button, but this is the solution for this case.

Comment #10

locomo CreditAttribution: locomo commented 29 September 2009 at 03:47

i see..

my case is a little different in that the auth user creates content but upon saving it immediately is unable to edit it (input format has not been changed).. the only way the author of the content even sees an "edit" tab for this node is if I give the author role node permissions: "view revisions".. but then this role has the undesirable ability to see all revisions on the site...

Comment #11

crea CreditAttribution: crea commented 5 October 2009 at 21:36

Title:

"update", "delete" grants for unpublished content depend on "view revisions" permission

» Authors can't edit own unpublished content unless "view revisions" permission is granted

Confirming. It's bug in Module Grants again. It happens only with unpublished content.
Following lines in function module_grants_node_access() deny access:

  // If the node is NOT published and the user does not have "view revisions"
  // permission, deny access, UNLESS it's the author viewing the node and one
  // of the following is true:
  // o Author has "view revisions of own content" permission (see Revisioning)
  // o Author is viewing the initial draft they created.
  if (!$node->status && !user_access('view revisions', $account)) {
    if (!($op == 'view' && $account->uid == $node->uid && $account->uid > 0 &&
      (user_access('view revisions of own content', $account) || get_number_of_revisions($node->nid) == 1))) {
      return FALSE;
    }
  }

module_grants_node_access() is called with $op='update' so "$op=='view'" being FALSE is enough for function to return FALSE.

Comment #12

crea CreditAttribution: crea commented 5 October 2009 at 21:19

Title:	revisioning permissions - author can't edit own content	» "update", "delete" grants for unpublished content depend on "view revisions" permission
Project:	Revisioning	» Module Grants
Component:	User interface	» Code
Category:	support	» bug
Priority:	Normal	» Critical

Better name

Comment #13

locomo CreditAttribution: locomo commented 6 October 2009 at 05:52

Title:

Authors can't edit own unpublished content unless "view revisions" permission is granted

» "update", "delete" grants for unpublished content depend on "view revisions" permission

crea you rock! thank you.

nice find - I was really starting to go a bit crazy with this..

so would it be something like:
(!($op == 'view' || $op =='update') && $account->uid ....

Comment #14

crea CreditAttribution: crea commented 6 October 2009 at 10:55

locomo, I don't know. I don't understand why these lines are there. Let's wait until Rik explains.

Comment #15

locomo CreditAttribution: locomo commented 7 October 2009 at 05:10

will do

Comment #16

RdeBoer

Melbourne

CreditAttribution: RdeBoer commented 8 October 2009 at 08:17

Rik is on holiday.

Comment #17

GuillaumeDuveau

Toulouse

CreditAttribution: GuillaumeDuveau commented 29 October 2009 at 22:35

Looking forward from reading Rik's answer.

Comment #18

locomo CreditAttribution: locomo commented 9 December 2009 at 09:28

Rik .. you back from holiday ? :)

Comment #19

RdeBoer

Melbourne

CreditAttribution: RdeBoer commented 9 December 2009 at 11:20

Yes I'm back -- thanks for checking on me :)
I have some changes on my local machine ready for testing and checking in....
Just really under the pump for a few more days with work....
Will get back to you soon... Promise!

Comment #20

locomo CreditAttribution: locomo commented 9 December 2009 at 16:53

haha.. no worries - thanks!

Comment #21

RdeBoer

Melbourne

CreditAttribution: RdeBoer commented 16 December 2009 at 04:22

Assigned:	Unassigned	» RdeBoer
Status:	Active	» Fixed

locomo, crea,
You're both right... Not sure what I was thinking!
I've refactored and cleaned the code up, so much so that it might actually work now... haha!

See Module Grants and Revisioning versions 16-Dec-09.
Note that the Accessible content menu option now lives in its own module: Module Grants Monitor, which you enable as per normal on the Site building >> Modules page.

Rik