If a module implementing node grants is enabled, and a non-standard operation is passed to check access to a node, then a database exception is thrown.
Problem/Motivation
The node grant system is not activated unless there is an installed module which implements hook_node_grants
. Drupal does not come with any non-test modules implementing this hook.
Once the grant system is enabled, \Drupal\node\NodeGrantDatabaseStorage->access()
constructs a database conditions' column by concatenating 'grant' . $operation
. However only 'grant_view', 'grant_update', 'grant_delete' columns exist. The code does not do any pre-checks for column existence.
This code was uncovered due to a non-standard operation implemented by RNG, combined with a hook_node_grants
implementer in content_access.
Steps to reproduce:
- Enable content_access module, or any module implementing node grants.
- Rebuild node access.
- Create a test script, executing
$node->access('a_random_operation');
- As a limited user, run the test script.
Proposed resolution
The patch ensures the operation passed is one of the three grant columns in node_access
database table.
Remaining tasks
N/A
User interface changes
None
API changes
None
Data model changes
None
References
- RNG issue: Possible problem with RNG and CONTENT ACCESS #71
- Content Access issue: #2653252: "The website encountered an unexpected error" upon setting Access Control for individual node
Comment | File | Size | Author |
---|---|---|---|
#3 | node-grant-operation-2659078.patch | 1.53 KB | dpi |
#3 | node-grant-operation-2659078-testonly.patch | 708 bytes | dpi |
Comments
Comment #2
dpiComment #3
dpiComment #4
swentel CreditAttribution: swentel commentedMaybe we should be harder here and throw an exception ?
Comment #5
dpiNon-CRUD operation strings are permitted in Drupal, its just the grant system is not equipped to handle them.
I dont think this should fail hard, control should be returned to the entity access system on failure.
Comment #6
swentel CreditAttribution: swentel commentedOh, ok, carry on then :)
Comment #8
platinum1 CreditAttribution: platinum1 commentedThe patch seems to do the trick. Thank you
Comment #9
platinum1 CreditAttribution: platinum1 commentedComment #10
catchCommitted/pushed to 8.1.x and cherry-picked to 8.0.x. Thanks!
Comment #14
dpi