[drupal-devel] [bug] Users with 'maintain books' or 'edit own book pages' permission cannot delete book pages

rivena drupal-devel at drupal.org
Mon May 23 17:33:19 UTC 2005


Issue status update for http://drupal.org/node/21559

 Project:      Drupal
 Version:      cvs
 Component:    book.module
 Category:     bug reports
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  clydefrog
 Updated by:   rivena
 Status:       patch

I've been looking at the book module permissions recently, and did a bit
of testing.  I wanted to know what was the minimum permissions needed to
create a new book.  I assumed based on this discussion, and a similar
discussion on the drupal support list that this was 'maintain books'
and 'administer nodes'.  I ran into a problem, then added 'access
nodes' to this.  


So now my user has no other permissions other than 'maintain books',
'administer nodes' and 'access nodes'.  You'd think this is more than
sufficient to do something simple like create a new book, but in fact,
with just these permissions, you do not have access to create a book
page.  You can edit other pages, and move them into a new book.


Once you have create pages permission, you appear to finally have all
the permissions needed, edit own pages is not needed.


So, since, the point of this patch was that not having delete
permission was odd, might I suggest adding create permission to
maintain books?  ;p


Anisa.




rivena



Previous comments:
------------------------------------------------------------------------

April 29, 2005 - 13:32 : clydefrog

Attachment: http://drupal.org/files/issues/delete_own_book_pages.patch (626 bytes)

AFAICT, only 'administer nodes' permission allows deletion of book
pages.


This patch allows users with 'maintain books' or 'edit own book pages'
permission to delete book pages. The logic doesn't check if the node
has updates pending. Should it?




------------------------------------------------------------------------

April 29, 2005 - 23:10 : clydefrog

It's a patch, duh.




------------------------------------------------------------------------

April 29, 2005 - 23:21 : rivena

If maintain books is a permission that overlaps other permissions, it
should say so.  For example, /maintain books (create, edit, and delete
all book pages)/.  


While I agree that someone who has been given maintainer status should
be able to delete pages, I wonder if 'delete own pages' should be made
into a seperate permission.  I could see a situation where I would not
want someone to be able to delete their own pages.


Do these permissions affect things that are not book pages but have
been put into books?


Anisa.
It's /Golden Week/!




------------------------------------------------------------------------

April 30, 2005 - 12:43 : clydefrog

I think it's clear that "maintain books" implies the ability to edit and
delete book pages.


No other node module provides a "delete own " permission, so it would
be inconsistent for book.module to provide it. Can you provide some
examples to justify the inconsistency?


These permissions do not affect nodes which aren't book pages but are
in a book. Those nodes are controlled by their respective type-specific
permissions, but only users with "maintain books" permission can add or
remove those nodes from books. I believe this is the correct behavior.




------------------------------------------------------------------------

April 30, 2005 - 20:03 : rivena

Hmm...  But, you just said that until this patch, it *didn't* include
the delete pages permission.  Right?  So, now you are changing it's
behavior, but leaving the wording the same.  How will people know?  Or
does it not matter, because you presume they didn't really know it
didn't include delete in the first place?


I don't know that I can defend my idea of having a seperate delete own
pages permission against a standard of consistency.  If all the other
edit own permissions include the delete pages permission, then I have
no quibbles.  :)


Except it would be more userfriendly if I knew what the permissions
meant before I granted them to someone, without having to look at the
code.  But I do realize that is completely out of the scope of the
patch.  :)


Where do all these little changes *go*, anyway?  The changelog just
says things like...  refractored the search module.


Anisa.




------------------------------------------------------------------------

May 1, 2005 - 01:04 : clydefrog

I believe that "maintain books" permission implies the ability to delete
book pages, so this patch fixes that bug.


Other node modules include deletion in the "edit own" permission. For
example, page.module:



<?php
  if ($op == 'update' || $op == 'delete') {
    if (user_access('edit own pages') && ($user->uid ==
$node->uid)) {
      return TRUE;
    }
  }
?>




I agree that it would be better if permissions were clearer about what
they implied. There was a discussion started by killes [1] a while ago:


"One problem with Drupal is the way it handles user permissions. The
permissions are attached to the user object but nobody really knows
what
they do. To find out what a particular permission allows you to do, you
often need to have a look at the code.

"
I don't know if it ever lead to any code.


I think the changelog is meant to list the changes since the previous
version without too much technical detail. If you want to see every
last change, take a look at the cvs messages [2].
[1] http://lists.drupal.org/archives/drupal-devel/2005-04/msg00704.html
[2] http://drupal.org/project/cvs/3060







More information about the drupal-devel mailing list