[drupal-devel] [bug] node_validate does not respect group editing

killes drupal-devel at drupal.org
Sun Aug 14 01:12:13 UTC 2005 

Issue status update for 
http://drupal.org/node/11071
Post a follow up: 
http://drupal.org/project/comments/add/11071

 Project:      Drupal
-Version:      4.5.2
+Version:      cvs
 Component:    node.module
 Category:     bug reports
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  mathias
 Updated by:   killes at www.drop.org
-Status:       active
+Status:       patch (code needs review)

This patch still applies. I don't immediately see why this is related to
the revisions patch.




killes at www.drop.org



Previous comments:
------------------------------------------------------------------------

Sat, 25 Sep 2004 18:23:13 +0000 : mathias

With the new node-level access permissions, it is entirely possible for
users in the same role, or having the same taxonomy term to edit each
other's nodes. However when this happens, node_validate will transfer
ownership of the node to the user who last edited it.  I think this
behavior should be changed so that original authorship is always
maintained unless specifically transferred.


The problem lies in node_validate, here:


$node->uid = $user->uid ? $user->uid : 0;


Since an alteration such as this could introduce an exploit, I'm
wondering what other's feel would be the best solution?


I was working on a role-based editing permissions module (based on
JonBob's nodeperm_role.module) where the author of a node controls
which groups can view/edit their post.




------------------------------------------------------------------------

Sat, 25 Sep 2004 21:34:00 +0000 : mathias

Attachment: http://drupal.org/files/issues/node_perm.patch (655 bytes)

Here is a proposed patch, which would then allow node authors to choose
which users could view/edit their post.




------------------------------------------------------------------------

Tue, 21 Dec 2004 16:42:24 +0000 : moshe weitzman

seems simple enough to me. we ought to protect against unintentially
changing the author, right? +1




------------------------------------------------------------------------

Mon, 27 Dec 2004 09:16:57 +0000 : Dries

Hopefully, this will become easier/clear as soon the revisions patch hit
CVS.  Let's revisit this soon.




------------------------------------------------------------------------

Wed, 23 Feb 2005 05:52:26 +0000 : tangent

As requested in this issue [1], it may be desirable for users with the
permission to do so to change the owner of a node.
[1] http://drupal.org/node/17267




------------------------------------------------------------------------

Tue, 08 Mar 2005 20:57:14 +0000 : Dries

Waiting for the node revision patch to land.

More information about the drupal-devel mailing list