Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.We had discussed in #drupal that we need to review the success of our node access controlls before releasing Drupal 4.5.
For starters I found that our feed function do not honour our acccess lists at all. See attached patch.
This:
grep "{node}" * | grep -v node_access_join_sql
Might be usefull in spotting other weaknesses. Not all of those queries need fixing, of course.
| Comment | File | Size | Author |
|---|---|---|---|
| #12 | book_13.patch | 959 bytes | killes@www.drop.org |
| #7 | book_12.patch | 6.35 KB | killes@www.drop.org |
| #6 | comment_7.patch | 1.36 KB | killes@www.drop.org |
| #4 | blog_5.patch | 1000 bytes | killes@www.drop.org |
| feed.patch | 3.3 KB | killes@www.drop.org | |
Comments
Comment #1
Dries CreditAttribution: Dries commentedThe atom module probably needs to be udpated too.
IMO, it wouldn't hurt to have _db_query() check whether the access controls are in place.
Comment #2
(not verified) CreditAttribution: commentedUh oh!
This patch also seemed to include the changes decided to be a bad idea over in this issue... namely, it sorts the "latest blog entries" by sticky, forcing all users' sticky posts to the top and obscuring the actual newest posts.
I'm not near a workstation where I can make a patch at the moment, but the change that needs to be made is:
"
BY n.sticky DESC," should be removed from line 163 of blog.module. (in the functionblog_page_last()).Setting this back to patch so it gets attention.
Comment #3
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedYeah, sorry, unclean patch base. Patch forthcoming.
Comment #4
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThis patch reverts the ORDER BY change. Sorry again.
Comment #5
Dries CreditAttribution: Dries commentedComment #6
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedHere is another patch. The comment search would have shown matching comments even if you could not access them because the node isn't accessible. The patch isn't really tested for lack of test data.
Comment #7
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedHere is another patch for book.module.
Comment #8
Dries CreditAttribution: Dries commentedI suggest we keep the check in node.module and use an isset() ... looks simpler to me.
Comment #9
Dries CreditAttribution: Dries commentedNevermind my previous comment. I committed the patches to HEAD, yet I had to modify the book.module patch for it to work.
Comment #10
(not verified) CreditAttribution: commentedIt does not look like the book.module got applied to me... could you please double-check?
Comment #11
Dries CreditAttribution: Dries commentedI did now. Thanks.
Comment #12
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedThe was (again :() a bug i the last patch.
Comment #13
Dries CreditAttribution: Dries commentedComment #14
(not verified) CreditAttribution: commented