All users with 'access projects' permission can currently view any project release node.

project_release_access() needs to check $node->status for the 'view' case.

CommentFileSizeAuthor
#1 project_release_respect_unpublished.patch.txt834 bytesdww

Comments

dww’s picture

dww
we/he/they
commented
Assigned: Unassigned » dww
Status: Active » Needs review
StatusFileSize
new project_release_respect_unpublished.patch.txt834 bytes

actually, no. directly looking at node->status is the job of node_access(). ;) all we have to do is correctly return NULL if we're not sure if the user should see it or not.

luckily, project_project_access() already gets this right, and we're just using the identical permission checks for the view case for project_release_access(). so, instead of duplicating the code, we just call project_project_access() directly, since it behaves exactly how we want. i think this is cleaner.

(btw, this bug also exists in 4.7.x-2.x, so this patch should be backported).

dww’s picture

dww
we/he/they
commented

now installed on s.d.o... seems to be working fine. however, please review/test as you see fit. ;)

thanks,
-derek

dww’s picture

dww
we/he/they
commented
Status: Needs review » Fixed

after confirmation from webernet in IRC, committed to HEAD and installed for real on s.d.o.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)
dww’s picture

dww
we/he/they
commented

backported to DRUPAL-4-7--2 before the 4.7.x-2.2 release.