[drupal-devel] [bug] node_validate does not respect group editing

tangent drupal-devel at drupal.org
Wed Feb 23 05:52:32 UTC 2005

 Project:      Drupal
 Version:      cvs
 Component:    node.module
 Category:     bug reports
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  mathias
 Updated by:   tangent
 Status:       patch

As requested in this issue [1], it may be desirable for users with the
permission to do so to change the owner of a node.
[1] http://drupal.org/node/17267


Previous comments:

September 25, 2004 - 13:23 : mathias

With the new node-level access permissions, it is entirely possible for
users in the same role, or having the same taxonomy term to edit each
other's nodes. However when this happens, node_validate will transfer
ownership of the node to the user who last edited it.  I think this
behavior should be changed so that original authorship is always
maintained unless specifically transferred.
The problem lies in node_validate, here:
$node->uid = $user->uid ? $user->uid : 0;
Since an alteration such as this could introduce an exploit, I'm
wondering what other's feel would be the best solution?
I was working on a role-based editing permissions module (based on
JonBob's nodeperm_role.module) where the author of a node controls
which groups can view/edit their post.


September 25, 2004 - 16:34 : mathias

Attachment: http://drupal.org/files/issues/node_perm.patch (655 bytes)

Here is a proposed patch, which would then allow node authors to choose
which users could view/edit their post.


December 21, 2004 - 11:42 : moshe weitzman

seems simple enough to me. we ought to protect against unintentially
changing the author, right? +1


December 27, 2004 - 04:16 : Dries

Hopefully, this will become easier/clear as soon the revisions patch hit
CVS.  Let's revisit this soon.

View: http://drupal.org/node/11071
Edit: http://drupal.org/project/comments/add/11071

More information about the drupal-devel mailing list