I created a module to allow access to unpublished content, when a user has a special url with a hash control in it. This is a module based on various snippets I found on the drupal site.
The module integrate with the node creating process, and if a node is created, which is not published, and the user has the permission to create a link to access the unpublished node, a special url will be displayed. On the other hand when a user accesses the drupal website, and uses an URL with the correct hash the user can be allowed to view the unpublished content.
I searched and did not find any module that offers this functionality. I am aware that this module might prove to be a security risk, because it allows access to unpublished content, but I believe the module provides enough safeguards and information to warn users about the risks.
I uploaded the first version of the module here: http://leiden365.nl/downloads/access_unpublished-v0.1.zip
Kind regards,
Adrie
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | access_unpublished-v0.5.zip | 2.94 KB | aberg |
| #6 | access_unpublished-v0.4.zip | 3 KB | aberg |
| #4 | access_unpublished-v0.3.zip | 2.76 KB | aberg |
| #3 | access_unpublished-v0.2.zip | 8.19 KB | aberg |
| #1 | access_unpublished-v0.1.zip | 8.2 KB | aberg |
Comments
Comment #1
aberg commentedComment #2
aberg commentedComment #3
aberg commentedReviewed my code using the coder module and made some cosmetic modifications.
Comment #4
aberg commentedMore corrections to have valid Drupal code. Added an extra permission to allow only certain users to create a url with hash when saving unpublished nodes.
Comment #5
aberg commentedComment #6
aberg commentedI just keep working on this module, and here is the latest version, which includes better comments in the code, and some small fixes.
Comment #7
aberg commentedCorrected some of the comments in the code, and some details. The module should be perfect now. Please review it.
Comment #8
arianek commentedHi. Please read all the following and the links provided as this is very important information about your CVS Application:
Drupal.org has moved from CVS to Git! This is a very significant change for the Drupal community and for your application. Please read the following documentation on how this affects and benefits you and the application process:
Migrating from CVS Applications to (Git) Full Project Applications
Comment #9
aberg commentedAdded this project to git.
http://drupal.org/sandbox/aberg/1075866
Comment #10
avpadernoComment #11
berdirAs hint, it seems that you haven't yet correctly configured your e-mail address in git which means that the commits do not get assigned to your account. Have a look at the "Git access" local task below edit in your profile to see how to configure it properly. You are currently using an internal e-mail address (webserver2.icc something)
- You're .info file is missing a bit information, you should add the core version, package and description.
- // $Id$
This line isn't necessary anymore, git doesn't use it.
- drupal_set_message(t('Access unpublished') . ': ' . access_unpublished_get_access_url($node) . '');
You should rewrite and use a single translatable string with placeholders. Something like this:
Or something along those lines. You might also want to rework the text a bit.
- return md5($nid . variable_get('access_unpublished_privatekey', ACCESS_UNPUBLISHED_DEFAULTPRIVATEKEY));
I'm wondering if that is secure enough. If someone forgets to update the privatekey, this can be easily tricked.
What about generating a random string in hook_install()? That is similar to what Drupal 7 is doing to protect cron.php access. See http://api.drupal.org/api/drupal/modules--system--system.install/functio.... You could either backport the used helper functions to D6 or use something simpler like http://ch.php.net/manual/en/function.uniqid.php
Comment #12
aberg commentedUpdated the module for the changes suggested by Berdir.
The private key is now generated during install and can be modified in the module settings. I still have the default value in the defines for if someone deletes the generated key.
update 8 april: Forgot to upload the updated files. Now the set is complete.
Comment #13
tim.plunkettComment #14
tim.plunkettAssigning for review.
Comment #15
ralt commentedHi,
Your module looks good.
Here are a few suggestions, but I'll assign this as RTBC btw.
You're defining ACCESS_UNPUBLISHED_QUERYSTRING as constant. Wouldn't it be better (and more secure) to use variable_get() and let the administrator choose which string to use? That'd mean using check_plain() everytime you're retrieving it, of course.
Just as you're doing in your .install file, don't you think it'd be better to use uniqid() here? Even though it shouldn't ever be used, this is still better.
Well, by the way, you can do these changes later, as they are not essential, but would be a great addition.
Comment #16
aberg commentedThanks for reviewing the module.
I made the update regarding the query string. This can now be modified in the administration page of the module.
The function returning the hash code (_access_unpublished_get_hash($nid)) should return a hash that is based on a fixed private key because the function is used for creating and checking the key value. The DEFAULTPRIVATEKEY value will only be used if the user deleted the generated private key.
If I add an uniqid() here the hash values would be different every time, and the program functionality would be lost in case the user deleted the private key.
Comment #17
ralt commentedYou're using variable_get() to return the value. Value which you've defined through your .install file, so the constant should never be used by the way. If it is ever used, that means that the variable is empty, so it is using a default value (and defining this value in the table), which will be retrieved the next time by variable_get(). This new value should not be as simple as "abcdef", which is why I'm proposing you to use uniqid().
Comment #18
aberg commentedThanks for the tip, but I don't see how a call to variable_get() will define the variable if it is not set. I reviewed the documentation (http://api.drupal.org/api/drupal/includes--bootstrap.inc/function/variab...), but it was not clear to me.
After doing some more tests, I found that deleting the value of the private key resulted in an empty string, and not the deletion of the variable. This means the hash will be based only on the nodeid.
I think the best is try and add a requirement to the module administration page where I require a value that is not empty. I have uploaded a new version of the module. Thanks again for your feedback.
Comment #19
ralt commentedUh, my bad. You're absolutely right, I confused several things together and said something totally wrong. Your way is indeed what I was thinking about. Sorry for thinking the wrong way.
Well, we just need someone with the right permission to approve your application now :-)
Comment #20
sreynen commentedHi aberg,
Thanks for your contribution and welcome to the community of project contributors on drupal.org.
I've granted you the git vetted user role which will let you promote this to a full project and also create new projects as either sandbox or "full" projects depending on which you feel is best.
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. As someone who has recently completed an application, your input would be especially useful in the code review group as we work to improve this process.
Comment #22
avpadernoI am giving credits to the users who participated in this issue.