example_author from hook_node_grants/hook_node_access_records grants all anon edit/delete to uid=0 nodes [#2011066]

Example_author author never checks if user is set/not anonymous, so the grant is granted to any anonymous users, which is not quite the expected thing in most situations.

Should add checks for if ($node->uid) and if ($account->uid)

#2011058: If no author, node_access_example_author grant allows all anonyomous traffic to edit/delete node examples module issue

Beta phase evaluation

Reference: https://www.drupal.org/core/beta-changes
Issue category	Bug because the example is a bit confusing/insecure
Unfrozen changes	Unfrozen because it only changes documentation to be better

Comment	File	Size	Author
#17	D7-node-access-api-grants-all-to-uid-zero-2011066-17.patch	1.16 KB	adci_contributor
#17
#11	node-access-api-grants-all-to-uid-zero-2011066-11.patch	1.28 KB	adci_contributor
#11
#9	DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-9.patch	1.27 KB	joshi.rohit100
#9
#8	DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-8.patch	2.08 KB	Grimreaper
#8
#5	DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-5.patch	2.07 KB	Grimreaper
#5
#3	DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-3.patch	1.32 KB	Grimreaper
#3
#2	DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-2.patch	1.18 KB	esbandeira
#2

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

esbandeira CreditAttribution: esbandeira commented 12 June 2013 at 17:40

Assigned:

Unassigned

» esbandeira

I'll work on this.

Comment #2

esbandeira CreditAttribution: esbandeira commented 20 June 2013 at 20:57

Status:

Active

» Needs review

File	Size
DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-2.patch	1.18 KB

Please review, I've perform the maintenance needed in this code.
Regards
Eduardo.

Comment #2.0

esbandeira CreditAttribution: esbandeira commented 20 June 2013 at 20:57

Issue summary:

View changes

adding link to examples module issue

Comment #3

Grimreaper

French

France 🇫🇷

CreditAttribution: Grimreaper commented 30 March 2014 at 17:04

Issue summary:

View changes

File	Size
DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-3.patch	1.32 KB

Hello,

I remade a patch because the previous one was no more appliyable.

Is there something to test in the interface ?

Is there something to change in the documentation blocks ?

Else I see no problem.

Comment #4

30 March 2014 at 17:07

Status:

Needs review

» Needs work

The last submitted patch, 3: DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-3.patch, failed testing.

Comment #5

Grimreaper

French

France 🇫🇷

CreditAttribution: Grimreaper commented 30 March 2014 at 17:15

Status:

Needs work

» Needs review

File	Size
DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-5.patch	2.07 KB

1 file was hidden/shown/deleted

File	Size
DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-3.patch	1.32 KB

Should be good now.

Comment #6

hefox CreditAttribution: hefox commented 31 March 2014 at 17:12

+++ b/core/modules/node/node.api.php
@@ -173,21 +173,23 @@
+  if ($account->uid) {

should this be $account->id()?

not familiar with account->id(), just guessing.

Comment #7

Grimreaper

French

France 🇫🇷

CreditAttribution: Grimreaper commented 31 March 2014 at 17:27

Hello,

I just review and rebase the previous patch.

If you tell me that $account->id() exists and it is better, ok no problem I will remake a patch.

You guess right, I was not familiar with its :)

Comment #8

Grimreaper

French

France 🇫🇷

CreditAttribution: Grimreaper commented 31 March 2014 at 19:37

File	Size
DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-8.patch	2.08 KB

Using $account->id() and $node->getOwnerId().

I don't know what I had in mind when I said "If you tell me that $account->id() exists" in the previous comment.

It was already in the code... Shame on me.

Comment #9

joshi.rohit100

he/him

Hindi

Delhi, India

CreditAttribution: joshi.rohit100 commented 12 June 2014 at 10:28

File	Size
DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-9.patch	1.27 KB

Created new patch as last patch failed to apply.
Please review.

Comment #10

jhedstrom

English

Portland, OR

CreditAttribution: jhedstrom commented 17 December 2014 at 22:36

Status:	Needs review	» Needs work
Issue tags:		+Needs reroll

3 files were hidden/shown/deleted

File	Size
DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-2.patch	1.18 KB

DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-5.patch	2.07 KB

DrupalCore-8.x-dev-node-access-api-grants-all-to-uid-zero-2011066-8.patch	2.08 KB

Comment #11

adci_contributor CreditAttribution: adci_contributor commented 18 December 2014 at 08:59

Status:	Needs work	» Needs review
Issue tags:	-Needs reroll

File	Size
node-access-api-grants-all-to-uid-zero-2011066-11.patch	1.28 KB

Trying to reroll

Comment #12

Wim Leers

Ghent 🇧🇪🇪🇺

CreditAttribution: Wim Leers commented 18 December 2014 at 10:57

Issue tags:

+Documentation

Comment #13

jhedstrom

English

Portland, OR

CreditAttribution: jhedstrom commented 19 December 2014 at 18:15

Issue summary:	View changes
Status:	Needs review	» Reviewed & tested by the community

This looks good.

I've also added a beta phase evaluation to the issue summary.

Comment #14

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott commented 23 December 2014 at 09:38

Status:

Reviewed & tested by the community

» Fixed

Committed 6a3b965 and pushed to 8.0.x. Thanks!

Thanks for adding the beta evaluation for to the issue summary.

Comment #15

23 December 2014 at 09:40

alexpott committed 6a3b965 on 8.0.x

Issue #2011066 by Grimreaper, esbandeira, joshi.rohit100,...

Comment #16

David_Rothstein CreditAttribution: David_Rothstein commented 4 January 2015 at 19:49

Version:	8.0.x-dev	» 7.x-dev
Status:	Fixed	» Patch (to be ported)
Issue tags:		+Needs backport to D7

Looks relevant for Drupal 7, I think, especially since the Examples module issue this grew out of was also for Drupal 7.

Comment #17

adci_contributor CreditAttribution: adci_contributor commented 12 January 2015 at 02:47

Status:

Patch (to be ported)

» Needs review

File	Size
D7-node-access-api-grants-all-to-uid-zero-2011066-17.patch	1.16 KB

Trying to backport

Comment #18

19 November 2015 at 17:53

alexpott committed 6a3b965 on 8.1.x

Issue #2011066 by Grimreaper, esbandeira, joshi.rohit100,...

Comment #19

3 August 2016 at 00:04

alexpott committed 6a3b965 on 8.3.x

Issue #2011066 by Grimreaper, esbandeira, joshi.rohit100,...

Comment #20

3 August 2016 at 00:05

alexpott committed 6a3b965 on 8.3.x

Issue #2011066 by Grimreaper, esbandeira, joshi.rohit100,...

Comment #21

27 January 2017 at 17:53

alexpott committed 6a3b965 on 8.4.x

Issue #2011066 by Grimreaper, esbandeira, joshi.rohit100,...

Comment #22

27 January 2017 at 17:52

alexpott committed 6a3b965 on 8.4.x

Issue #2011066 by Grimreaper, esbandeira, joshi.rohit100,...

example_author from hook_node_grants/hook_node_access_records grants all anon edit/delete to uid=0 nodes

Beta phase evaluation

Comments

Comment #1

Comment #2

Comment #2.0

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Comment #16

Comment #17

Comment #18

Comment #19

Comment #20

Comment #21

Comment #22

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community