[support] Permissions are driving me crazy

[Steven Scotten]

Maybe it's because it's 1am, but permissions just aren't behaving the  
way I think they should.

I'm trying to prevent an authenticated user with no other roles from  
being able to delete the content that they create.

The nodetype is an Ubercart product with a number of CCK fields and  
fieldgroups.

The "authenticated user" column in permissions has only these boxes  
checked:

access site-wide contact form
access content
search content
create enrollment products (enrollment is the name of the product class)

"delete own enrollment products" is NOT checked. Neither is "edit own  
enrollment products"

Admin users have all the boxes checked.

I even installed the access control module, and set the "authenticated  
user" to be only allowed to view this content type, not edit or delete  
even their own. No effect. plain ol' authenticated user with no other  
roles can build a new product, then go back and delete it. Which is  
what I don't want to happen.

Is there something about Ubercart that overrides permissions?

I suppose I could use CSS to hide the "delete" button. Admin users  
could still delete content through the content list. Still, seems like  
this is not behaving the way it ought to.

Maybe after I sleep a while it will become clear. Or maybe someone out  
there reading this knows some permissions voodoo.

Thanks in advance,


Steve