Node Access Check for "simple node title search" [#1119656]

Comment #1

DanChadwick CreditAttribution: DanChadwick commented 8 April 2011 at 17:59

I'm guessing that anonymous users see only some content types? If the problem is that authenticated users are seeing titles from other content types, then there's help.

Patches have been posted, but not yet committed, that let you limit the search to only the content type of the node being edited/added.

Log in or register to post comments

Comment #2

rexcn CreditAttribution: rexcn commented 9 April 2011 at 02:50

it is not authenticated users are seeing titles from other content types, authenticated users are seeing the same content types. but the results of search are every node title in the website. but there is no problem with the first account.

Log in or register to post comments

Comment #3

DanChadwick CreditAttribution: DanChadwick commented 9 April 2011 at 09:17

Which search method are you using? What's different about your installation?

Log in or register to post comments

Comment #4

rexcn CreditAttribution: rexcn commented 10 April 2011 at 03:35

if i use 'Simple node title search', authenticated users's search result is every node title in the website.
if i use 'Drupal search', authenticated users's search result is nothing. even there are some node's title is equal.
but the first account works well in both search method.

Log in or register to post comments

Comment #5

rexcn CreditAttribution: rexcn commented 10 April 2011 at 03:37

is there something wrong with permission?

Log in or register to post comments

Comment #6

bforchhammer CreditAttribution: bforchhammer commented 18 April 2011 at 16:22

Title:	wrong with Registered Users	» Node Access Check for "simple node title search"
Status:	Active	» Postponed

As far as I can see node permissions should be fine with Drupal Search and Solr Search.

"Simple Node Title Search" however is just a simple SQL query, which does not implement any advanced node access checking, so this will actually just return everything.

I'm not sure about how to implement that at the moment...

Log in or register to post comments

Comment #7

asb CreditAttribution: asb commented 27 June 2011 at 23:57

"Simple Node Title Search" however is just a simple SQL query, which does not implement any advanced node access checking, so this will actually just return everything.

Isn't this a potential security issue that should at least be mentioned on the project page? Hypothetical Example: Someone stores her customers credit card numbers in an access restricted content type or CCK field with permissions; the "Simple Node Title Search" would return the node titles, however the content would still remain access restricted.

Hm, if I'm thinking about it this isn't too hypothetical at all; on one site, I have a content type for photographical equipment owned by the users; the node title includes the user name and the piece of equipment. If someone unprivileged creates content with the equipment name, the owner listings might show up for this piece of equipment; someone who understands how 'Uniqueness' works might even create dummy content and enter a user name, which would potentially result in a listing of equipment this user owns. Nice for thieves, but nasty for the users. Stuff like this shouldn't show up in any unprivileged searches, I think (well, on the other hand, one should not trust Drupal's access permissions anyway).

I assume the actual problem here is the need for speed, and because of that you avoid to use the Drupal APIs to query the database?