Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Popular Content block does not respect node-level permissions, so shows titles of nodes which the user can't access. This one-line patch for Drupal 4.6 adds the missing db_rewrite
call.
Comment | File | Size | Author |
---|---|---|---|
popular_content_access.patch | 1.02 KB | menesis | |
Comments
Comment #1
ankur CreditAttribution: ankur commented+1
The node_privacy_byrole module in contribs makes changes to the node_access table that get ignored by the title listings generated by statistics.module's popular content listings. This is because the queries used to generate the listings don't check permissions on a JOIN to the node_access table as they should. The problem came to my attention in the issues queue for node_privacy_byrole:
http://drupal.org/node/16243
The patch changes the query so that it calls db_rewrite_sql() which in turn calls node_db_rewrite_sql() which is the function that inserts the node_access check into the query.
-Ankur
Comment #2
Steven CreditAttribution: Steven commentedApplied to 4.6 and HEAD.
Comment #3
menesis CreditAttribution: menesis commented