- Patch #76444 by chx, moshe, eaton, angie et al: make it possible to control...

- Patch #76444 by chx, moshe, eaton, angie et al: make it possible to control access to form elements.

includes/common.inc

@@ -1692,9 +1692,10 @@ function drupal_cron_run() {
  *   The rendered HTML.
  */
 function drupal_render(&$elements) {
-  if (!isset($elements)) {
+  if (!isset($elements) || (isset($elements['#access']) && !$elements['#access'])) {
     return NULL;
   }
+
   $content = '';
   uasort($elements, "_element_sort");
   if (!isset($elements['#children'])) {
@@ -1792,4 +1793,4 @@ function element_child($key) {
  */
 function element_children($element) {
   return array_filter(array_keys((array) $element), 'element_child');
-}
\ No newline at end of file
+}

includes/form.inc

@@ -496,7 +496,7 @@ function form_builder($form_id, $form) {
       $form['#id'] =  'edit-' . implode('-', $form['#parents']);
     }
 
-    $posted = (($form['#programmed']) || (isset($_POST['edit']) && ($_POST['edit']['form_id'] == $form_id)));
+    $posted = (($form['#programmed']) || ((!isset($form['#access']) || $form['#access']) && isset($_POST['edit']) && ($_POST['edit']['form_id'] == $form_id)));
     $edit = $posted ? $form['#post']['edit'] : array();
     foreach ($form['#parents'] as $parent) {
       $edit = isset($edit[$parent]) ? $edit[$parent] : NULL;
@@ -585,13 +585,18 @@ function form_builder($form_id, $form) {
       $form[$key]['#tree'] = $form['#tree'];
     }
 
+    // deny access to child elements if parent is denied
+    if (isset($form['#access']) && !$form['#access']) {
+      $form[$key]['#access'] = FALSE;
+    }
+
     // don't squash existing parents value
     if (!isset($form[$key]['#parents'])) {
       // Check to see if a tree of child elements is present. If so, continue down the tree if required.
       $form[$key]['#parents'] = $form[$key]['#tree'] && $form['#tree'] ? array_merge($form['#parents'], array($key)) : array($key);
     }
 
-    # Assign a decimal placeholder weight to preserve original array order
+    // Assign a decimal placeholder weight to preserve original array order
     if (!isset($form[$key]['#weight'])) {
       $form[$key]['#weight'] = $count/1000;
     }

modules/comment/comment.module

@@ -281,27 +281,20 @@ function comment_form_alter($form_id, &$form) {
   elseif (isset($form['type'])) {
     if ($form['type']['#value'] .'_node_form' == $form_id) {
       $node = $form['#node'];
-      if (user_access('administer comments')) {
-        $form['comment_settings'] = array(
-          '#type' => 'fieldset',
-          '#title' => t('Comment settings'),
-          '#collapsible' => TRUE,
-          '#collapsed' => TRUE,
-          '#weight' => 30,
-        );
-        $form['comment_settings']['comment'] = array(
-          '#type' => 'radios',
-          '#parents' => array('comment'),
-          '#default_value' => $node->comment,
-          '#options' => array(t('Disabled'), t('Read only'), t('Read/Write')),
-        );
-      }
-      else {
-        $form['comment_settings']['comment'] = array(
-          '#type' => 'value',
-          '#value' => $node->comment,
-        );
-      }
+      $form['comment_settings'] = array(
+        '#type' => 'fieldset',
+        '#access' => user_access('administer comments'),
+        '#title' => t('Comment settings'),
+        '#collapsible' => TRUE,
+        '#collapsed' => TRUE,
+        '#weight' => 30,
+      );
+      $form['comment_settings']['comment'] = array(
+        '#type' => 'radios',
+        '#parents' => array('comment'),
+        '#default_value' => $node->comment,
+        '#options' => array(t('Disabled'), t('Read only'), t('Read/Write')),
+      );
     }
   }
 }

modules/menu/menu.module

@@ -187,7 +187,7 @@ function menu_perm() {
  * Add menu item fields to the node form.
  */
 function menu_form_alter($form_id, &$form) {
-  if (user_access('administer menu') && isset($form['type']) && $form['type']['#value'] .'_node_form' == $form_id) {
+  if (isset($form['type']) && $form['type']['#value'] .'_node_form' == $form_id) {
     $edit = isset($_POST['edit']) ? $_POST['edit'] : '';
     $edit['nid'] = $form['nid']['#value'];
 
@@ -201,6 +201,7 @@ function menu_form_alter($form_id, &$form) {
 
     $form['menu'] = array('#type' => 'fieldset',
       '#title' => t('Menu settings'),
+      '#access' => user_access('administer menu'),
       '#collapsible' => TRUE,
       '#collapsed' => empty($item['title']),
       '#tree' => TRUE,

modules/node/node.module

@@ -1899,28 +1899,38 @@ function node_form($node) {
   }
   $form['#node'] = $node;
 
-  if (user_access('administer nodes')) {
-    // Node author information
-    $form['author'] = array('#type' => 'fieldset', '#title' => t('Authoring information'), '#collapsible' => TRUE, '#collapsed' => TRUE, '#weight' => 20);
-    $form['author']['name'] = array('#type' => 'textfield', '#title' => t('Authored by'), '#maxlength' => 60, '#autocomplete_path' => 'user/autocomplete', '#default_value' => $node->name ? $node->name : '', '#weight' => -1, '#description' => t('Leave blank for %anonymous.', array('%anonymous' => variable_get('anonymous', 'Anonymous'))));
-    $form['author']['date'] = array('#type' => 'textfield', '#title' => t('Authored on'), '#maxlength' => 25, '#description' => t('Format: %time. Leave blank to use the time of form submission.', array('%time' => $node->date)));
-
-    if (isset($node->nid)) {
-      $form['author']['date']['#default_value'] = $node->date;
-    }
+  // Node author information for administrators
+  $form['author'] = array(
+    '#type' => 'fieldset',
+    '#access' => user_access('administer nodes'),
+    '#title' => t('Authoring information'),
+    '#collapsible' => TRUE,
+    '#collapsed' => TRUE,
+    '#weight' => 20,
+  );
+  $form['author']['name'] = array('#type' => 'textfield', '#title' => t('Authored by'), '#maxlength' => 60, '#autocomplete_path' => 'user/autocomplete', '#default_value' => $node->name ? $node->name : '', '#weight' => -1, '#description' => t('Leave blank for %anonymous.', array('%anonymous' => variable_get('anonymous', 'Anonymous'))));
+  $form['author']['date'] = array('#type' => 'textfield', '#title' => t('Authored on'), '#maxlength' => 25, '#description' => t('Format: %time. Leave blank to use the time of form submission.', array('%time' => $node->date)));
 
-    // Node options for administrators
-    $form['options'] = array('#type' => 'fieldset', '#title' => t('Publishing options'), '#collapsible' => TRUE, '#collapsed' => TRUE, '#weight' => 25);
-    $form['options']['status']   = array('#type' => 'checkbox', '#title' => t('Published'), '#default_value' => $node->status);
-    $form['options']['promote']  = array('#type' => 'checkbox', '#title' => t('Promoted to front page'), '#default_value' => $node->promote);
-    $form['options']['sticky']   = array('#type' => 'checkbox', '#title' => t('Sticky at top of lists'), '#default_value' => $node->sticky);
-    $form['options']['revision'] = array('#type' => 'checkbox', '#title' => t('Create new revision'), '#default_value' => $node->revision);
+  if (isset($node->nid)) {
+    $form['author']['date']['#default_value'] = $node->date;
   }
-  else {
-    // Put all of these through as values if the user doesn't have access to them.
-    foreach (array('uid', 'created') as $key) {
-      $form[$key] = array('#type' => 'value', '#value' => $node->$key);
-    }
+
+  // Node options for administrators
+  $form['options'] = array(
+    '#type' => 'fieldset',
+    '#access' => user_access('administer nodes'),
+    '#title' => t('Publishing options'),
+    '#collapsible' => TRUE,
+    '#collapsed' => TRUE,
+    '#weight' => 25,
+  );
+  $form['options']['status']   = array('#type' => 'checkbox', '#title' => t('Published'), '#default_value' => $node->status);
+  $form['options']['promote']  = array('#type' => 'checkbox', '#title' => t('Promoted to front page'), '#default_value' => $node->promote);
+  $form['options']['sticky']   = array('#type' => 'checkbox', '#title' => t('Sticky at top of lists'), '#default_value' => $node->sticky);
+  $form['options']['revision'] = array('#type' => 'checkbox', '#title' => t('Create new revision'), '#default_value' => $node->revision);
+  // These values are used when the user has no administrator accesss.
+  foreach (array('uid', 'created') as $key) {
+    $form[$key] = array('#type' => 'value', '#value' => $node->$key);
   }
 
   // Add the buttons.

modules/path/path.module

@@ -255,13 +255,14 @@ function path_nodeapi(&$node, $op, $arg) {
  * Implementation of hook_form_alter().
  */
 function path_form_alter($form_id, &$form) {
-  if (user_access('create url aliases') && isset($form['type']) && $form['type']['#value'] .'_node_form' == $form_id) {
+  if (isset($form['type']) && $form['type']['#value'] .'_node_form' == $form_id) {
     $path = $form['#node']->path;
     $form['path'] = array(
       '#type' => 'fieldset',
       '#title' => t('URL path settings'),
       '#collapsible' => TRUE,
       '#collapsed' => empty($path),
+      '#access' => user_access('create url aliases'),
       '#weight' => 30,
     );
     $form['path']['path'] = array(

modules/upload/upload.module

@@ -360,13 +360,14 @@ function upload_form_alter($form_id, &$form) {
 
   if (isset($form['type'])) {
     $node = $form['#node'];
-    if ($form['type']['#value'] .'_node_form' == $form_id && variable_get("upload_$node->type", TRUE) && user_access('upload files')) {
+    if ($form['type']['#value'] .'_node_form' == $form_id && variable_get("upload_$node->type", TRUE)) {
       drupal_add_js('misc/progress.js');
       drupal_add_js('misc/upload.js');
 
       // Attachments fieldset
       $form['attachments'] = array(
         '#type' => 'fieldset',
+        '#access' => user_access('upload files'),
         '#title' => t('File attachments'),
         '#collapsible' => TRUE,
         '#collapsed' => empty($node->files),