Confused about ownership changes

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Confused about ownership changes

Hilary Caws-Elwitt

Hi all,

 

Page ownership changes when default users edit page settings, but not when higher Drupal roles do. Is this by design?

 

We initially thought it was a bug that a default user could take away page ownership from a webmaster just by saving page settings, but the Middlebury wiki indicates that’s expected behavior (“The owner of a page is the last person who edited the page's setting” - http://mediawiki.middlebury.edu/wiki/LIS/Monster_Menus_Permissions ). But when a user with a higher role edits a page’s settings, the ownership stays with the original user.

 

Also, the wiki says the behavior on content nodes is the same; but that doesn’t appear to be the case. A default user can make settings changes to content without changing ownership. Even removing oneself from “Who can edit or delete this content” doesn’t change ownership, so the user can lock themselves out of permissions on a piece of content—but not on a page. I’m confused… can anyone shed some light? Thanks!

--

Hilary Caws-Elwitt

IT Analyst - Five Colleges, Inc. - http://www.fivecolleges.edu

97 Spring St, Amherst MA 01002

[hidden email] - 413-542-4022

 

---

You are currently subscribed to monster_menus as: [hidden email].

To unsubscribe click here: http://lists.middlebury.edu/u?id=685503.6b071f880fe6a965a128164e6d09ea81&n=T&l=monster_menus&o=697180

(It may be necessary to cut and paste the above URL if the line is broken)

or send a blank email to [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Confused about ownership changes

Dan Wilga-2
On 1/10/14, 12:25 PM, Hilary Caws-Elwitt wrote:

Hi all,

 

Page ownership changes when default users edit page settings, but not when higher Drupal roles do. Is this by design?

Sort of. The intent was for ownership to always change to whoever is editing the page's settings. However, in the case of users with "administer all menus" permission, they have the ability to change ownership to anyone they please, so this is not done automatically.

It's actually important *not* to automatically change ownership to an admin in this case. Let's say User1 is an admin editing a page owned by User2, and there are no other permissions set on the page. If we were to automatically give User1 ownership, then User2 would no longer be able to edit the page's settings or add content.

We initially thought it was a bug that a default user could take away page ownership from a webmaster just by saving page settings, but the Middlebury wiki indicates that’s expected behavior (“The owner of a page is the last person who edited the page's setting” - http://mediawiki.middlebury.edu/wiki/LIS/Monster_Menus_Permissions ). But when a user with a higher role edits a page’s settings, the ownership stays with the original user.

I guess the question this raises is: what is the concern? The only possible downside I can see is this scenario:

1. A page is owned by User1, with delete/change possible for User2.
2. User2 edits the page's settings.
3. User2 now owns the page, and User1 no longer has any special access.

Is this what you're running into? If so, I could see the argument for not doing the automatic change, but I would also want to look back in the code to see if there's some historic reason I'm forgetting about why it is the way it is.

Also, the wiki says the behavior on content nodes is the same; but that doesn’t appear to be the case. A default user can make settings changes to content without changing ownership. Even removing oneself from “Who can edit or delete this content” doesn’t change ownership, so the user can lock themselves out of permissions on a piece of content—but not on a page. I’m confused… can anyone shed some light? Thanks!

Yes, your observations are correct.

---

You are currently subscribed to monster_menus as: [hidden email].

To unsubscribe click here: http://lists.middlebury.edu/u?id=685503.6b071f880fe6a965a128164e6d09ea81&n=T&l=monster_menus&o=697213

(It may be necessary to cut and paste the above URL if the line is broken)

or send a blank email to [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Confused about ownership changes

Hilary Caws-Elwitt
In reply to this post by Hilary Caws-Elwitt

Thanks, Dan. Yes, your scenario where User1 loses access because of the automatic ownership change is what we’ve run into, but it’s infrequent. I am curious about what the harm would be in leaving ownership with the creator until/unless a change is done manually, because that seems kind of counter-intuitive. Not a big deal, though—thank you for confirming what the current situation is.

 

--

Hilary Caws-Elwitt

IT Analyst - Five Colleges, Inc. - http://www.fivecolleges.edu

97 Spring St, Amherst MA 01002

[hidden email] - 413-542-4022

 

From: Dan Wilga [mailto:[hidden email]]
Sent: Friday, January 10, 2014 3:50 PM
To: Monster Menus Development
Subject: Re: Confused about ownership changes

 

On 1/10/14, 12:25 PM, Hilary Caws-Elwitt wrote:

Hi all,

 

Page ownership changes when default users edit page settings, but not when higher Drupal roles do. Is this by design?

Sort of. The intent was for ownership to always change to whoever is editing the page's settings. However, in the case of users with "administer all menus" permission, they have the ability to change ownership to anyone they please, so this is not done automatically.

It's actually important *not* to automatically change ownership to an admin in this case. Let's say User1 is an admin editing a page owned by User2, and there are no other permissions set on the page. If we were to automatically give User1 ownership, then User2 would no longer be able to edit the page's settings or add content.

We initially thought it was a bug that a default user could take away page ownership from a webmaster just by saving page settings, but the Middlebury wiki indicates that’s expected behavior (“The owner of a page is the last person who edited the page's setting” - http://mediawiki.middlebury.edu/wiki/LIS/Monster_Menus_Permissions ). But when a user with a higher role edits a page’s settings, the ownership stays with the original user.

I guess the question this raises is: what is the concern? The only possible downside I can see is this scenario:

1. A page is owned by User1, with delete/change possible for User2.
2. User2 edits the page's settings.
3. User2 now owns the page, and User1 no longer has any special access.

Is this what you're running into? If so, I could see the argument for not doing the automatic change, but I would also want to look back in the code to see if there's some historic reason I'm forgetting about why it is the way it is.

Also, the wiki says the behavior on content nodes is the same; but that doesn’t appear to be the case. A default user can make settings changes to content without changing ownership. Even removing oneself from “Who can edit or delete this content” doesn’t change ownership, so the user can lock themselves out of permissions on a piece of content—but not on a page. I’m confused… can anyone shed some light? Thanks!

Yes, your observations are correct.

---

You are currently subscribed to monster_menus as: [hidden email].

To unsubscribe click here: http://lists.middlebury.edu/u?id=1034715.d8dc340b0014c740c37e95754e54e1f3&n=T&l=monster_menus&o=697213

(It may be necessary to cut and paste the above URL if the line is broken)

or send a blank email to [hidden email]

---

You are currently subscribed to monster_menus as: [hidden email].

To unsubscribe click here: http://lists.middlebury.edu/u?id=685503.6b071f880fe6a965a128164e6d09ea81&n=T&l=monster_menus&o=697291

(It may be necessary to cut and paste the above URL if the line is broken)

or send a blank email to [hidden email]

Loading...