On a site with users created by admin only, a few roles added and the right permissions assigned to these roles, I encountered the following problems:

1.) While logging in as an user under a particular role, the user could not view content (blog postings), although the title of the block (Recent blog posts) was visible and node access was granted. Is this default behaviour? This user had not created any blog posts until then.

2.) Similarly only the title of 'Upcoming events' block was visible and not the nodes created by others.

In an effort to solve these problems, I disabled NPBR from administer>settings>node_privacy_by_role, without disabling it from administer>modules. These users were now able to see all the blog and upcoming event postings.

However, when I completely disabled NPBR by going to administer>modules and logged out, it cut off all access to content for anonymous users- they were seeing the CS/Drupal intro welcome message on the home page of the site, despite permissions for access to content having been given to anon users.

I tested this a few times and am quite convinced there is something happening here. In fact, I deleted a CS install on another site exactly because of this problem- I had grappled with it for three days, trying all sorts of things such as clearing cache, repairing the tables, optimizing them etc, before giving up. That install had NPBR turned on too, and I suspect, turned off like this instance.

I am willing to post the screenshots if Ankur thinks they will be useful.

Comments

venkat-rk’s picture

venkat-rk commented

Sorry, that should've been NPBR (node_privacy_by_role).

ankur’s picture

ankur commented

Hello Ramdak,

On issue (1), there was a bug in versions 4.5.x where, if the author did not grant view or edit privileges to a user for a certain node, the node teaser would still show up in listings, but clicking on the actual node (going to q=node/n) would give an access denied.

This bug has been resolved in 4.6 and an upgrade script is needed to resolve the issue.

Sorry for the time wasted on issue (2). I tried to replicate the problem and was able to get the exact same result, but it happened only when I left 'enabled' selected on q=admin/settings/node_privacy_byrole and THEN disabled the module on the q=admin/modules page.

In short, the extra 'enable' on the q=admin/settings/node_privacy_byrole page causes (0,0,'all',1,0,0) to be DELETED from the {node_access} table. When this row is present in the table, the permissions scheme defaults to what is configured on the permissions administration page where all Drupal permissions are set. When this row is deleted upon 'enabling' in the page at q=admin/settings/node_privacy_byrole, the permissions are determined on a node-by-node basis by entries in the table created by node_privacy_byrole. These override whatever has been set on the user's permissions pages. (0,0,'all',1,0,0) is re-inserted when the module is disabled (which is what the extra disable step if for on q=admin/settings/node_privacy_byrole).

For now, my recommendation would be to check your DB if you have DB access and to wait until you upgrade to Drupal 4.6 (or CS 0.8.1).

-Ankur

venkat-rk’s picture

venkat-rk commented

Hello Ankur,

Thank you for taking the time to look into this issue and also for the clear explanation about what is happening.

I think I will wait for 0.8.1 for this to be resolved. Thankfully, it is not a big issue- I just need to put up with the message about NPBR at the top of the node creation form when creating content.

Ramdak

ankur’s picture

ankur commented