Maybe it's because it's 1am, but permissions just aren't behaving the way I think they should.
I'm trying to prevent an authenticated user with no other roles from being able to delete the content that they create.
The nodetype is an Ubercart product with a number of CCK fields and fieldgroups.
The "authenticated user" column in permissions has only these boxes checked:
access site-wide contact form access content search content create enrollment products (enrollment is the name of the product class)
"delete own enrollment products" is NOT checked. Neither is "edit own enrollment products"
Admin users have all the boxes checked.
I even installed the access control module, and set the "authenticated user" to be only allowed to view this content type, not edit or delete even their own. No effect. plain ol' authenticated user with no other roles can build a new product, then go back and delete it. Which is what I don't want to happen.
Is there something about Ubercart that overrides permissions?
I suppose I could use CSS to hide the "delete" button. Admin users could still delete content through the content list. Still, seems like this is not behaving the way it ought to.
Maybe after I sleep a while it will become clear. Or maybe someone out there reading this knows some permissions voodoo.
Thanks in advance,
Steve