Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.The mailhandler does not read user permissions correct anymore.
Because of some reason it onlly checks the user that uses the mailaddress were a message was sent from.
e.g. I have an email address, wich collects loads of newsletters, and places these in the queue. These are all collected from seperate addresses.
in options there is a pull-down providing the option to disable security. This is not taken into account when processing a mailed node.
line 103 of mailhandler.module
if (node_access("create", $node)) {
should be
if (node_access("create", $node) || $mailbox['security']==0) {
and maybe even
if (node_access("create", $node) || $mailbox['security']==0 || commands_defined_user_access($node)) {
commands_defined_user_access($node)) {
looks for a user&password in the commands and returns true if that user has accessrights.
Greets. Ber
Comments
Comment #1
moshe weitzman commentedPlease supply a patch if possible.
Comment #2
moshe weitzman commentednote that the proposed fix is not desirable. we don't want to circumvent the node_access() check at all. If security is turned on, then that should be dealt with before we try to create the node. I haven't reviewed the code, and haven't even confirmed that a bug exists. But I do know that the change proposed here is undesirable.
Comment #3
Bèr Kessels commentedI set satus to postponed.
I'm not sure what tot do with this. Fact is that on /my/ configuration, it does not work: i cannot process mails from other mailaddresses than one that is from a user whith access rights. Can someone confirm this? Maybe it's only my problem. Maybe for now this should be set as 'by design'?
Ber
Comment #4
moshe weitzman commentedPstatus: By design
Now I see themisunderstanding. Yes, this behavior is by design. If
mailhandler receives a mail from an unrecognized user, it will will post
the note anonymously if user permissions permit this. Please re-open
this case if you see differently
Comment #5
moshe weitzman commented