Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
when i use Uniqueness with the first account, everything work well.
but when i use Registered Users account , the modules search every node title in my web. any one can help me?
Comments
Comment #1
DanChadwick CreditAttribution: DanChadwick commentedI'm guessing that anonymous users see only some content types? If the problem is that authenticated users are seeing titles from other content types, then there's help.
Patches have been posted, but not yet committed, that let you limit the search to only the content type of the node being edited/added.
Comment #2
rexcn CreditAttribution: rexcn commentedit is not authenticated users are seeing titles from other content types, authenticated users are seeing the same content types. but the results of search are every node title in the website. but there is no problem with the first account.
Comment #3
DanChadwick CreditAttribution: DanChadwick commentedWhich search method are you using? What's different about your installation?
Comment #4
rexcn CreditAttribution: rexcn commentedif i use 'Simple node title search', authenticated users's search result is every node title in the website.
if i use 'Drupal search', authenticated users's search result is nothing. even there are some node's title is equal.
but the first account works well in both search method.
Comment #5
rexcn CreditAttribution: rexcn commentedis there something wrong with permission?
Comment #6
bforchhammer CreditAttribution: bforchhammer commentedAs far as I can see node permissions should be fine with Drupal Search and Solr Search.
"Simple Node Title Search" however is just a simple SQL query, which does not implement any advanced node access checking, so this will actually just return everything.
I'm not sure about how to implement that at the moment...
Comment #7
asb CreditAttribution: asb commentedIsn't this a potential security issue that should at least be mentioned on the project page? Hypothetical Example: Someone stores her customers credit card numbers in an access restricted content type or CCK field with permissions; the "Simple Node Title Search" would return the node titles, however the content would still remain access restricted.
Hm, if I'm thinking about it this isn't too hypothetical at all; on one site, I have a content type for photographical equipment owned by the users; the node title includes the user name and the piece of equipment. If someone unprivileged creates content with the equipment name, the owner listings might show up for this piece of equipment; someone who understands how 'Uniqueness' works might even create dummy content and enter a user name, which would potentially result in a listing of equipment this user owns. Nice for thieves, but nasty for the users. Stuff like this shouldn't show up in any unprivileged searches, I think (well, on the other hand, one should not trust Drupal's access permissions anyway).
I assume the actual problem here is the need for speed, and because of that you avoid to use the Drupal APIs to query the database?
Comment #8
bforchhammer CreditAttribution: bforchhammer commentedI've added a note to the project page about this issue...
I think the primary reason was simplicity; for the 7.x version we should probably look into using the new query interface...
Comment #9
bforchhammer CreditAttribution: bforchhammer commentedNote: 7.x does use the new query interface and access restrictions are respected; so this only applies to 6.x.