Commit 33f455d2 authored by Gábor Hojtsy's avatar Gábor Hojtsy

#153998 by David_Rothstein and myself: clean up permissions in book, blog,...

#153998 by David_Rothstein and myself: clean up permissions in book, blog, blogapi, forum and locale modules
parent 7de29914
...@@ -887,7 +887,7 @@ function theme_aggregator_block_item($item, $feed = 0) { ...@@ -887,7 +887,7 @@ function theme_aggregator_block_item($item, $feed = 0) {
global $user; global $user;
$output = ''; $output = '';
if ($user->uid && module_exists('blog') && user_access('edit own blog')) { if ($user->uid && module_exists('blog') && user_access('create blog entries')) {
if ($image = theme('image', 'misc/blog.png', t('blog it'), t('blog it'))) { if ($image = theme('image', 'misc/blog.png', t('blog it'), t('blog it'))) {
$output .= '<div class="icon">'. l($image, 'node/add/blog', array('attributes' => array('title' => t('Comment on this news item in your personal blog.'), 'class' => 'blog-it'), 'query' => "iid=$item->iid", 'html' => TRUE)) .'</div>'; $output .= '<div class="icon">'. l($image, 'node/add/blog', array('attributes' => array('title' => t('Comment on this news item in your personal blog.'), 'class' => 'blog-it'), 'query' => "iid=$item->iid", 'html' => TRUE)) .'</div>';
} }
......
...@@ -23,21 +23,21 @@ function blog_node_info() { ...@@ -23,21 +23,21 @@ function blog_node_info() {
* Implementation of hook_perm(). * Implementation of hook_perm().
*/ */
function blog_perm() { function blog_perm() {
return array('edit own blog'); return array('create blog entries', 'delete own blog entries', 'delete any blog entry', 'edit own blog entries', 'edit any blog entry');
} }
/** /**
* Implementation of hook_access(). * Implementation of hook_access().
*/ */
function blog_access($op, $node, $account) { function blog_access($op, $node, $account) {
if ($op == 'create') { switch ($op) {
return user_access('edit own blog', $account) && $account->uid; case 'create':
} // Anonymous users cannot post even if they have the permission.
return user_access('create blog entries', $account) && $account->uid;
if ($op == 'update' || $op == 'delete') { case 'update':
if (user_access('edit own blog', $account) && ($node->uid == $account->uid)) { return user_access('edit any blog entry', $account) || (user_access('edit own blog entries', $account) && ($node->uid == $account->uid));
return TRUE; case 'delete':
} return user_access('delete any blog entry', $account) || (user_access('delete own blog entries', $account) && ($node->uid == $account->uid));
} }
} }
...@@ -45,7 +45,7 @@ function blog_access($op, $node, $account) { ...@@ -45,7 +45,7 @@ function blog_access($op, $node, $account) {
* Implementation of hook_user(). * Implementation of hook_user().
*/ */
function blog_user($type, &$edit, &$user) { function blog_user($type, &$edit, &$user) {
if ($type == 'view' && user_access('edit own blog', $user)) { if ($type == 'view' && user_access('create blog entries', $user)) {
$user->content['summary']['blog'] = array( $user->content['summary']['blog'] = array(
'#type' => 'user_profile_item', '#type' => 'user_profile_item',
'#title' => t('Blog'), '#title' => t('Blog'),
...@@ -145,7 +145,7 @@ function blog_menu() { ...@@ -145,7 +145,7 @@ function blog_menu() {
'page callback' => 'blog_page_user', 'page callback' => 'blog_page_user',
'page arguments' => array(1), 'page arguments' => array(1),
'access callback' => 'user_access', 'access callback' => 'user_access',
'access arguments' => array('edit own blog', 1), 'access arguments' => array('create blog entries', 1),
'file' => 'blog.pages.inc', 'file' => 'blog.pages.inc',
); );
$items['blog/%user/feed'] = array( $items['blog/%user/feed'] = array(
......
...@@ -16,7 +16,7 @@ function blog_page_user($account) { ...@@ -16,7 +16,7 @@ function blog_page_user($account) {
$items = array(); $items = array();
if (($account->uid == $user->uid) && user_access('edit own blog')) { if (($account->uid == $user->uid) && user_access('create blog entries')) {
$items[] = l(t('Post new blog entry.'), "node/add/blog"); $items[] = l(t('Post new blog entry.'), "node/add/blog");
} }
else if ($account->uid == $user->uid) { else if ($account->uid == $user->uid) {
......
<?php
// $Id$
/**
* @defgroup updates-5.x-to-6.x Blog API updates from 5.x to 6.x
* @{
*/
/**
* Inform users about the new permission.
*/
function blogapi_update_6000() {
drupal_set_message("Blog API module does not depend on blog module's permissions anymore, but provides its own 'administer content with blog api' permission instead. Until <a href=\"". url('admin/user/permissions', array('fragment' => 'module-blogapi')) .'">this permission is assigned</a> to at least one user role, only the site administrator will be able to use Blog API features.');
return array();
}
/**
* @} End of "defgroup updates-5.x-to-6.x"
* The next series of updates should start at 7000.
*/
...@@ -20,6 +20,13 @@ function blogapi_help($path, $arg) { ...@@ -20,6 +20,13 @@ function blogapi_help($path, $arg) {
} }
} }
/**
* Implementation of hook_perm().
*/
function blogapi_perm() {
return array('administer content with blog api');
}
/** /**
* Implementation of hook_xmlrpc(). * Implementation of hook_xmlrpc().
*/ */
...@@ -508,7 +515,7 @@ function blogapi_validate_user($username, $password) { ...@@ -508,7 +515,7 @@ function blogapi_validate_user($username, $password) {
$user = user_authenticate(array('name' => $username, 'pass' => $password)); $user = user_authenticate(array('name' => $username, 'pass' => $password));
if ($user->uid) { if ($user->uid) {
if (user_access('edit own blog', $user)) { if (user_access('administer content with blog api', $user)) {
return $user; return $user;
} }
else { else {
......
...@@ -305,14 +305,13 @@ function forum_node_info() { ...@@ -305,14 +305,13 @@ function forum_node_info() {
* Implementation of hook_access(). * Implementation of hook_access().
*/ */
function forum_access($op, $node, $account) { function forum_access($op, $node, $account) {
if ($op == 'create') { switch ($op) {
return user_access('create forum topics', $account); case 'create':
} return user_access('create forum topics', $account);
case 'update':
if ($op == 'update' || $op == 'delete') { return user_access('edit any forum topic', $account) || (user_access('edit own forum topics', $account) && ($account->uid == $node->uid));
if (user_access('edit any forum topic', $account) || (user_access('edit own forum topics', $account) && ($account->uid == $node->uid))) { case 'delete':
return TRUE; return user_access('delete any forum topic', $account) || (user_access('delete own forum topics', $account) && ($account->uid == $node->uid));
}
} }
} }
...@@ -320,7 +319,7 @@ function forum_access($op, $node, $account) { ...@@ -320,7 +319,7 @@ function forum_access($op, $node, $account) {
* Implementation of hook_perm(). * Implementation of hook_perm().
*/ */
function forum_perm() { function forum_perm() {
return array('create forum topics', 'edit own forum topics', 'edit any forum topic', 'administer forums'); return array('create forum topics', 'delete own forum topics', 'delete any forum topic', 'edit own forum topics', 'edit any forum topic', 'administer forums');
} }
/** /**
......
...@@ -54,7 +54,7 @@ function poll_theme() { ...@@ -54,7 +54,7 @@ function poll_theme() {
* Implementation of hook_perm(). * Implementation of hook_perm().
*/ */
function poll_perm() { function poll_perm() {
return array('create poll content', 'edit any poll content', 'edit own poll content', 'vote on polls', 'cancel own vote', 'inspect all votes'); return array('create poll content', 'delete own poll content', 'delete any poll content', 'edit any poll content', 'edit own poll content', 'vote on polls', 'cancel own vote', 'inspect all votes');
} }
/** /**
...@@ -66,6 +66,8 @@ function poll_access($op, $node, $account) { ...@@ -66,6 +66,8 @@ function poll_access($op, $node, $account) {
return user_access('create poll content', $account); return user_access('create poll content', $account);
case 'update': case 'update':
return user_access('edit any poll content', $account) || (user_access('edit own poll content', $account) && ($node->uid == $account->uid)); return user_access('edit any poll content', $account) || (user_access('edit own poll content', $account) && ($node->uid == $account->uid));
case 'delete':
return user_access('delete any poll content', $account) || (user_access('delete own poll content', $account) && ($node->uid == $account->uid));
} }
} }
......
...@@ -2414,6 +2414,40 @@ function system_update_6044() { ...@@ -2414,6 +2414,40 @@ function system_update_6044() {
return $ret; return $ret;
} }
/**
* Update blog, book and locale module permissions.
*
* Blog module got "edit own blog" replaced with the more granular "create
* blog entries", "edit own blog entries" and "delete own blog entries"
* permissions. We grant create and edit to previously privileged users, but
* delete is not granted to be in line with other permission changes in Drupal 6.
*
* Book module's "edit book pages" was upgraded to the bogus "edit book content"
* in Drupal 6 RC1 instead of "edit any book content", which would be correct.
*
* Locale module introduced "administer languages" and "translate interface"
* in place of "administer locales".
*
* Modeled after system_update_6039().
*/
function system_update_6045() {
$ret = array();
$result = db_query("SELECT rid, perm FROM {permission} ORDER BY rid");
while ($role = db_fetch_object($result)) {
$renamed_permission = preg_replace('/(?<=^|,\ )edit\ own\ blog(?=,|$)/', 'create blog entries, edit own blog entries', $role->perm);
$renamed_permission = preg_replace('/(?<=^|,\ )edit\ book\ content(?=,|$)/', 'edit any book content', $renamed_permission);
$renamed_permission = preg_replace('/(?<=^|,\ )administer\ locales(?=,|$)/', 'administer languages, translate interface', $renamed_permission);
if ($renamed_permission != $role->perm) {
$ret[] = update_sql("UPDATE {permission} SET perm = '$renamed_permission' WHERE rid = $role->rid");
}
}
// Notify user that delete permissions may have been changed. This was in
// effect since system_update_6039(), but there was no user notice.
drupal_set_message('Drupal now has separate edit and delete permissions. Previously, users who were able to edit content were automatically allowed to delete it. For added security, delete permissions for individual core content types have been <strong>removed</strong> from all roles on your site (only roles with the "administer nodes" permission can now delete these types of content). If you would like to reenable any individual delete permissions, you can do this at the <a href="'. url('admin/user/permissions', array('fragment' => 'module-node')) .'">permissions page</a>.');
return $ret;
}
/** /**
* @} End of "defgroup updates-5.x-to-6.x" * @} End of "defgroup updates-5.x-to-6.x"
* The next series of updates should start at 7000. * The next series of updates should start at 7000.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment