[development] problems with permissions on node

Lluís enboig at gmail.com
Thu Nov 19 11:17:56 UTC 2009 

ok, thanks

On Wed, Nov 18, 2009 at 5:32 PM, Jamie Holly <hovercrafter at earthlink.net> wrote:
> Don't forget to add a $ before your is_author, or it will continue to fail
> on anyone without the "edit any nodetype" permission.
>
> Jamie Holly
> http://www.intoxination.net http://www.hollyit.net
>
>
>
> Lluís wrote:
>>
>> After some research I found the error was not using "break;"; so after
>> checking update permission, delete permission was taking the lead.
>>
>>    case 'update':
>>      $output = user_access('edit own nodetype', $account) && is_author ||
>>        user_access('edit any nodetype', $account);
>>      if ($output) return TRUE;
>>      break; //  <----------
>>
>>
>> On Wed, Nov 18, 2009 at 3:52 PM, Ken Rickard <agentrickard at gmail.com>
>> wrote:
>> > node_access() is not proper here, since hook_access() is called within
>> > the node_access() stack (so calling it again creates a loop).
>> >
>> > The problem may be security. Read the node_access() function and note
>> > that there 4 separate return statements (3 FALSE and a TRUE) before
>> > hook_access() is invoked.
>> >
>> > Typically, this is a filter access problem, as the node body may be
>> > using a filter not accessible to the user trying to edit the node.
>> >
>> > - Ken
>> >
>> > On Wed, Nov 18, 2009 at 9:18 AM, Svein-Tore With
>> > <Svein-Tore.With at telemed.no> wrote:
>> >> I think you need to add a "$" sign in line 7
>> >>
>> >> Cheers,
>> >> Svein-Tore With (username falcon)
>> >>
>> >>> function nodetype_access($op, $node, $account) {
>> >>>   $is_author = $account->uid == $node->uid;
>> >>>   switch ($op) {
>> >>>     case 'create':
>> >>>       return user_access('create nodetype', $account);
>> >>>     case 'update':
>> >>>       $output = user_access('edit own nodetype', $account) &&
>> >>> [HERE]is_author ||
>> >>>         user_access('edit any nodetype', $account);
>> >>>       if ($output) return TRUE;
>> >>>     case 'delete':
>> >>>       return user_access('delete own nodetype', $account) &&
>> >>> $is_author ||
>> >>>         user_access('delete any nodetype', $account);
>> >>>   }
>> >>> }
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Ken Rickard
>> > agentrickard at gmail.com
>> > http://ken.therickards.com
>> >
>>
>>
>>
>>
>



-- 
*Les normes hi són perquè hi pensis abans de saltar-te-les
*La vida és com una taronja, què esperes a exprimir-la?
*Si creus que l'educació és cara, prova la ignorància.
*La vida és com una moneda, la pots gastar en el que vulguis però
només una vegada.
*Abans d'imprimir aquest missatge, pensa en el medi ambient.

More information about the development mailing list