Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Hi.
I'm trying out SiteNotes, which looks very promising, but I'm having some trouble to prohibit access for non-super users.
It may be interesting to know that RoleAssign 1.1 has been enabled, the user I'm working with has the permissions to create/modify non-PHP content. In Access control, access site notes remains disabled.
On selecting Create content > Site Note, the user gets the message Access denied.
This looks like normal behaviour to me.
But next, I get some unexpected results.
On selecting Content > (title of) a Site Note, the SiteNote is being accessed.
For the 'non-PHP' SiteNotes, the user can also edit the note. On submitting, he gets the following messages:
' Access denied.
' The Site Note has been updated.
' You are not authorized to access this page.
On reselecting the SiteNote, it indeed has been updated.
What am I missing? Thanks for any advice.
Comments
Comment #1
nancydruI've never had any experience with RoleAssign so I don't know how it might be involved.
You might be running into a bug in the node module that I reported months ago where it's checking permissions in the wrong order. http://drupal.org/node/131950
Does this user have "administer nodes" permission?
Comment #2
beert commentedThe user has "administer nodes" permission.
If it's switched of, the access to the SiteNotes is gone. However, so is the ability to administer the content menu.
The fix from http://drupal.org/node/131950 has been applied to the code, but it seems to be of no direct use to solve the issue.
Comment #3
beert commentedaddendum to my previous post:
the ability to administer the content menu is ofcourse accessible through the "administer menu" permission...
Comment #4
nancydruUnfortunately, "administer nodes" supercedes just about everything. I have to mark this as "by design."
I could suggest that you take a look at that bug report and patch again. If you move the "administer nodes" check to down after the "module_invoke($module, 'access', $op, $node)" checking, it should work as you want. I can't, of course, encourage core module hacking... Feel free to suggest making thsi change in that bug report.
Comment #5
nancydru