Here's a patch to fix a sql query in the upload module to that it uses the node_access functions.

CommentFileSizeAuthor
upload_0.patch636 bytesSteve Dondley
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Steven’s picture

Steven CreditAttribution: Steven commented

Essentially this patch lets teh node access thing that the "files" table is the "node" table. This might be fine for simple node access, but it might give troubles in the future.

Ideally, we'd do a join on the node table instead.

chx’s picture

chx CreditAttribution: chx commented

There was a taxonomy.module patch for node_access_*_sql calls, here is one for upload, and I think there is related a bug in archive.module on line 76, this query should call the node_access_*_sql functions (did not made a bug report, 'cos I did not have the time to check it out).

This is messy. My node builder proposal would do away with most of these -- this bug being an exception, 'cos it is not JOIN'd with node.

chx’s picture

chx CreditAttribution: chx commented

However, this shows that we must look through the Drupal queries and ask for each:

a) If node table is already among the joined tables, is a node_access_*_sql call needed?

b) if node table is not joined, but the table has a nid field, node shall be JOIN'd and GOTO a)

If a) is formulated "is it true that calling node_access_*_sql is not harmful here" which is in most of the cases is true, it can be passed through the node query builder, and that's that.

Dries’s picture

Dries CreditAttribution: Dries commented

Committed to HEAD and DRUPAL-4-5.

killes@www.drop.org’s picture

killes@www.drop.org CreditAttribution: killes@www.drop.org commented

http://drupal.org/node/13562

killes@www.drop.org’s picture

killes@www.drop.org CreditAttribution: killes@www.drop.org commented
Anonymous’s picture

(not verified) CreditAttribution: commented