Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Popular Content block does not respect node-level permissions, so shows titles of nodes which the user can't access. This one-line patch for Drupal 4.6 adds the missing db_rewrite call.
| Comment | File | Size | Author |
|---|---|---|---|
| popular_content_access.patch | 1.02 KB | menesis | |
Comments
Comment #1
ankur CreditAttribution: ankur commented+1
The node_privacy_byrole module in contribs makes changes to the node_access table that get ignored by the title listings generated by statistics.module's popular content listings. This is because the queries used to generate the listings don't check permissions on a JOIN to the node_access table as they should. The problem came to my attention in the issues queue for node_privacy_byrole:
http://drupal.org/node/16243
The patch changes the query so that it calls db_rewrite_sql() which in turn calls node_db_rewrite_sql() which is the function that inserts the node_access check into the query.
-Ankur
Comment #2
Steven CreditAttribution: Steven commentedApplied to 4.6 and HEAD.
Comment #3
menesis CreditAttribution: menesis commented