The S-Files: "Why can't a user edit content?"

A few days ago a user emailed with a problem about giving users the ability to edit content. The problem started with a small site that had been added to over time. Now that there were a few more pages to maintain the webmaster wanted to give access to other users to manage a few pages.

Since they had started out with only a couple of content types and needed extra control they added the Content Access module and configured it properly. The webmaster's goal was to give Sally, the company president, the ability to edit the "Executive Management" team. The problem was that no matter which permissions, View, Edit or Delete the user was given Sally's user could not edit the pages.

Thinking that there must be a problem with permissions the webmaster had already gone to the Post Settings page and clicked on the "Rebuild Permissions" button. This didn't solve the problem. In fact they also removed the modules thinking it might be something to do with the Content Access module. Alas none of this helped. In a final act of desperation they gave all users the right to edit "page" content on the site. All without working as he desired.

The symptom was that whenever Sally would visit the page she wouldn't see the "Edit" tab just under the page title. When the webmaster visited the page the link was there. After checking and re-checking the permissions and even looking through the issue queues on they were stumped.

Taking a look at the site the site the problem quickly became apparent. It's one of those things that is often set and forgotten about because it hides so neatly in plain sight. The issue preventing Sally from editing the pages was that the "Input Format" setting was set to a format which users in Sarah's role weren't allowed to use. After all of the other access checks Drupal checks to see if the user has the right to use the Input Filter that is in use on the particular page. While the reason for this may not be immediately apparent it is easier to see if we take a look at an input filter that allows PHP code to be executed. Because granting this permission gives a user unfettered access to any part of a site it is necessary to carefully check that anybody able to execute PHP has that very specific permission.

Once the webmaster went to Site Configuration >> Input Formats and gave Sally (and other users with her role) the right to use the Full HTML format she was able to see and edit the page. Problem solved and Acquia support was on to help the next Drupal user looking for support...

At the same time there is an effort to make this issue go away in the forthcoming Drupal 7 release. If it is one that has bitten you or you would like to see fixed be sure to check out and Become a community hero by testing the patches and providing feedback!