Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Installed Node Limit...
Created a Role...
Created a Node Limit for a content type associated with the role...
In permissions anonymous users do not have permission to create content type...
When I log out and visit site as anonymous user, I'm able to create the content type...
I do not know if I'm missing something or if this is a bug. If it's a bug, it's a critical one.
Any help appreciated.
Ronen
Comment | File | Size | Author |
---|---|---|---|
#15 | Feb13AddCT3.JPG | 87.88 KB | dougsap |
#4 | 6 Feb Alpha04 Testing Summary.png | 1.08 MB | dougsap |
Comments
Comment #1
dougsap CreditAttribution: dougsap commentedI am just confirming and elaborating on what Ronen says.
The issue seems to be true:
Doug (travelling this Wed to Sat)
Comment #2
DuaelFrThank you for this report.
Your are right it IS critical !
I willl work on this as soon as possible (probably this week).
Comment #3
DuaelFrHi guys !
I tried to reproduce this bug by many ways without success.
Could one of you try it from a fresh install from the Drupal Standard profile please ?
Regards,
Comment #4
dougsap CreditAttribution: dougsap commentedHi Edouard,
Retest steps that I followed today:
Created clean 7.12 environment (with no non-core modules).
Created two test Content Types
CT 1 per authenticated 0 per anon
CT 2 for specified_user
Did NOT set permissions yet
Became Anonymous .. Add Content not visible (as expected, as correct)
Installed: http://ftp.drupal.org/files/projects/node_limit-7.x-1.0-alpha4.zip
Enabled, and cleared cache: Node Limit (primary module, alone)
Anonymous user WAS able to create Content despite lack of permissions and no Node Limits specified.
Discontinued testing.
See attached.. Good luck and thanks, Doug
Comment #5
DuaelFrI am not able to reproduce this on my server...
My steps :
My local server configuration ;
Comment #6
dougsap CreditAttribution: dougsap commentedMy environment (shared hosting on a fairly well known host h***g*t*r).
Drupal 7.12
PHP 5.2.17
Apache 2.2.21
MySQL 5.1.56
I was more than happy to retest because I did not notice the problem in my initial testing, and thought it might have been the result of adding additional modules to my test environment. However, the environment from yesterday was new and clean.
Today, I enabled all of the Node Limit submodules – no change in behavior (Anonymous can still create content for the new, CT1, CT2 content types – Anonymous cannot create content for Basic Page or Article).
Next, I granted all CT1 permissions to Administrator and all CT2 permissions to Authenticated. No change in behavior .
Let me know if I can run any diagnostic versions of the modules, etc. Good Luck! Doug
Comment #7
snevins CreditAttribution: snevins commentedI too am seeing the same problem that dougsap is reporting. I installed drupal 7.12 and the node_limit module (7.x-1.0-alpha4). Enabled Node Limit, Node Limit Role, and Node Limit Type since those are the only two I need. Then I created a role and a content type with a few fields. I set the role to be able to create and edit nodes of that content type. Then I logged out to see if the anonymous user could add content, and sure enough the Add content link was there and when I clicked on it, it took me directly to creating a new node for my newly created content type.
I have no users other than user1. Since I'm just limiting by role, I thought it'd be enough to just create the role. When I added a user it didn't fix the problem.
Also, admin/user/node_limit is not available to me. When I type in the url it just takes me to the general admin page. So, I can't set the admin settings for this module. I'm not sure if these two things are related.
My Environment:
Drupal: 7.12
Apache: 2.2.14
PHP: 5.3.1
MySQL: 5.1.41
Comment #8
DuaelFrI just called the Drupal security team to help me resolving this critical issue. I hope they will have the time to throw an eye on this.
@snevins The proper node_limit admin url is admin/structure/node_limit, not admin/user/node_limit
Comment #9
snevins CreditAttribution: snevins commentedThanks for the correction on the admin page location. The readme needs updating, it says admin/user/node_limit.
Thanks also for your attention to this and for bringing in the Drupal security team.
Comment #10
gregglesMy guess is that this is in the hook_menu_alter.
I'm not sure specifically what it is, but that would be the first place I would look.
http://drupalcode.org/project/node_limit.git/blob/refs/heads/7.x-1.x:/no...
Comment #11
DuaelFrSure greggles that is where I first looked but as I cannot reproduce the bug I cannot judge if disabling custom access callback would help :/
Do you have an idea about why I am not able to reproduce despite of following exactly my two reporter steps ?
Could you please try by yourself ?
Thanks
Comment #12
webavant CreditAttribution: webavant commentedDuaelFr, are you sure you enabled node_limit after creating the content type? The problem only seems to happen under the condition that the content type is created before enabling the node_limit module. I followed dougsap's steps from post #4 exactly, and I have the problem as well. I am also using a fresh standard install of everything with no other modules.Ignore the above, it is totally incorrect.
Comment #13
webavant CreditAttribution: webavant commentedDuaelFr ignore my previous message. The problem is occurring only when having space characters in the content type name. I have tested this back and forth several times with the same results. Omitting spaces fixes the problem.
Comment #14
DuaelFrThis is interresting... o_O
Thank you for this information ! I will investigate on this basis.
Comment #15
dougsap CreditAttribution: dougsap commentedGood catch Webavant! I added a new content type without embedded spaces and confirmed what you reported. Thanks! Doug
Comment #16
webavant CreditAttribution: webavant commentedUnsure of the potential repercussions, commenting out the entire hook_menu_alter() function has fixed the problem for me.
Comment #17
DuaelFrSure webavant thank you but it will also disable the ability to hide links of CT which limits have been reached.
I will fix it quickly, don't worry :)
Comment #18
DuaelFrGood news !
It seems to be fixed !
Take a look at the new alpha5 release :)
Comment #19
dougsap CreditAttribution: dougsap commentedThe hole which allowed anonymous users to create content without permission has been fixed by 7.x-1.0-alpha5.
I will retest some of the other features over the next day or so. Thanks!
Comment #20
reelstories CreditAttribution: reelstories commentedThis is excellent news. I will be installing and retesting in the next day or so.
Thanks for patching this up quickly.
Ronen
Comment #21.0
(not verified) CreditAttribution: commentedimproved grammar for more clarity.
Comment #22
SeanT CreditAttribution: SeanT commentedI'm using 7.x-1.0-alpha5 and it seems I'm still getting this bug.
With node limit, node limit role, node limit interval, node limit type enabled and no node limit configuration added, anonymous users are still able to access /node/add/xxx
I added a configuration to prevent anonymous users from creating content with
limit = 0
role = anonymous user
That blocks anonymous users from creating content, but it also blocks authenticated users from creating content.
So I added another configuration for authenticated users
limit = -1
role = authenticated user
That doesn't seem to help.
In _node_limit_violates_limit, it would loop through the 2 available configurations, and then fails (return TRUE) at the 'anonymous' configuration because $count >= $limit['nlimit']
Why does it even look at the anonymous configuration when clearly I'm an authenticated user?
Comment #23
SeanT CreditAttribution: SeanT commentedUpon further inspections, it seems to be coming from this bug https://drupal.org/node/1678202
Comment #24
SeanT CreditAttribution: SeanT commentedThis patch fixes it for me https://drupal.org/node/1910874
Comment #25
sillygwailoThis is still an issue in alpha5. It clashes specifically with the Mass Contact module. See #1596194: users have access through node/add. I can provide (privately) the URL to a Mass Contact page that is accessible to anonymous users. It is not related to OG since I don't have OG installed.
I tried adding a limit so that anonymous users could not post any Mass Contact nodes but that fouled things up for other content types.
Comment #26
sillygwailoComment #27
Perignon CreditAttribution: Perignon as a volunteer commentedCan you provide a step by step reproduction to produce this error. I am looking at using this module on a project so I checked out this issue before I brought it into my code base and I cannot replicate this issue using a default installation of Drupal.
My steps are:
I am blocked from creating a node.
Marking as needs more information.
Comment #28
abhinaba9 CreditAttribution: abhinaba9 at Valuebound commentedNo such issue is being created now. An anonymous user can not add a node if it was used in the rule for node limit