Installed Node Limit...

Created a Role...

Created a Node Limit for a content type associated with the role...

In permissions anonymous users do not have permission to create content type...

When I log out and visit site as anonymous user, I'm able to create the content type...

I do not know if I'm missing something or if this is a bug. If it's a bug, it's a critical one.

Any help appreciated.

Ronen

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dougsap’s picture

I am just confirming and elaborating on what Ronen says.

The issue seems to be true:

  • Whether or not a new role is created
  • Whether or not a rule has been defined
  • Whenever the primary Node Limit module is enabled (it does not seem to be limited to Content Type/Role).

Doug (travelling this Wed to Sat)

DuaelFr’s picture

Assigned: reelstories » DuaelFr
Category: support » bug
Priority: Major » Critical
Status: Active » Needs work

Thank you for this report.
Your are right it IS critical !

I willl work on this as soon as possible (probably this week).

DuaelFr’s picture

Status: Needs work » Postponed (maintainer needs more info)

Hi guys !

I tried to reproduce this bug by many ways without success.
Could one of you try it from a fresh install from the Drupal Standard profile please ?

Regards,

dougsap’s picture

Hi Edouard,

Retest steps that I followed today:

Created clean 7.12 environment (with no non-core modules).

Created two test Content Types
CT 1 per authenticated 0 per anon
CT 2 for specified_user

Did NOT set permissions yet

Became Anonymous .. Add Content not visible (as expected, as correct)

Installed: http://ftp.drupal.org/files/projects/node_limit-7.x-1.0-alpha4.zip
Enabled, and cleared cache: Node Limit (primary module, alone)

Anonymous user WAS able to create Content despite lack of permissions and no Node Limits specified.

Discontinued testing.

See attached.. Good luck and thanks, Doug

DuaelFr’s picture

I am not able to reproduce this on my server...

My steps :

  1. download Drupal 7.12
  2. create dedicated vhost and database on local server
  3. install Drupal using the standard profile (or minimal, same result)
  4. as user 1 create a content type "CT1"
  5. as user 1 access to node/add/ct1 => success
  6. logout (or use private navigation or another browser)
  7. as anonymous try to access node/add/ct1 => denied
  8. log as user 1
  9. add and enable node_limit (only the main module)
  10. empty drupal's cache
  11. as user 1 access to node/add/ct1 => success
  12. logout (or use private navigation or another browser)
  13. as anonymous try to access node/add/ct1 => still denied !!

My local server configuration ;

  • Apache 2.2.17
  • PHP 5.3.5
dougsap’s picture

My environment (shared hosting on a fairly well known host h***g*t*r).

Drupal 7.12
PHP 5.2.17
Apache 2.2.21
MySQL 5.1.56

I was more than happy to retest because I did not notice the problem in my initial testing, and thought it might have been the result of adding additional modules to my test environment. However, the environment from yesterday was new and clean.

Today, I enabled all of the Node Limit submodules – no change in behavior (Anonymous can still create content for the new, CT1, CT2 content types – Anonymous cannot create content for Basic Page or Article).

Next, I granted all CT1 permissions to Administrator and all CT2 permissions to Authenticated. No change in behavior .

Let me know if I can run any diagnostic versions of the modules, etc. Good Luck! Doug

snevins’s picture

I too am seeing the same problem that dougsap is reporting. I installed drupal 7.12 and the node_limit module (7.x-1.0-alpha4). Enabled Node Limit, Node Limit Role, and Node Limit Type since those are the only two I need. Then I created a role and a content type with a few fields. I set the role to be able to create and edit nodes of that content type. Then I logged out to see if the anonymous user could add content, and sure enough the Add content link was there and when I clicked on it, it took me directly to creating a new node for my newly created content type.

I have no users other than user1. Since I'm just limiting by role, I thought it'd be enough to just create the role. When I added a user it didn't fix the problem.

Also, admin/user/node_limit is not available to me. When I type in the url it just takes me to the general admin page. So, I can't set the admin settings for this module. I'm not sure if these two things are related.
My Environment:
Drupal: 7.12
Apache: 2.2.14
PHP: 5.3.1
MySQL: 5.1.41

DuaelFr’s picture

I just called the Drupal security team to help me resolving this critical issue. I hope they will have the time to throw an eye on this.

@snevins The proper node_limit admin url is admin/structure/node_limit, not admin/user/node_limit

snevins’s picture

Thanks for the correction on the admin page location. The readme needs updating, it says admin/user/node_limit.

Thanks also for your attention to this and for bringing in the Drupal security team.

greggles’s picture

Status: Postponed (maintainer needs more info) » Active

My guess is that this is in the hook_menu_alter.

I'm not sure specifically what it is, but that would be the first place I would look.

http://drupalcode.org/project/node_limit.git/blob/refs/heads/7.x-1.x:/no...

DuaelFr’s picture

Sure greggles that is where I first looked but as I cannot reproduce the bug I cannot judge if disabling custom access callback would help :/

Do you have an idea about why I am not able to reproduce despite of following exactly my two reporter steps ?
Could you please try by yourself ?

Thanks

webavant’s picture

DuaelFr, are you sure you enabled node_limit after creating the content type? The problem only seems to happen under the condition that the content type is created before enabling the node_limit module. I followed dougsap's steps from post #4 exactly, and I have the problem as well. I am also using a fresh standard install of everything with no other modules.

Ignore the above, it is totally incorrect.

webavant’s picture

DuaelFr ignore my previous message. The problem is occurring only when having space characters in the content type name. I have tested this back and forth several times with the same results. Omitting spaces fixes the problem.

DuaelFr’s picture

This is interresting... o_O
Thank you for this information ! I will investigate on this basis.

dougsap’s picture

Title: Anonymous users can create nodes no matter what... » Good catch Webavant!
FileSize
87.88 KB

Good catch Webavant! I added a new content type without embedded spaces and confirmed what you reported. Thanks! Doug

webavant’s picture

Title: Good catch Webavant! » Anonymous users can create nodes no matter what...

Unsure of the potential repercussions, commenting out the entire hook_menu_alter() function has fixed the problem for me.

DuaelFr’s picture

Sure webavant thank you but it will also disable the ability to hide links of CT which limits have been reached.
I will fix it quickly, don't worry :)

DuaelFr’s picture

Status: Active » Needs review

Good news !
It seems to be fixed !

Take a look at the new alpha5 release :)

dougsap’s picture

Version: 7.x-1.0-alpha4 » 7.x-1.0-alpha5
Assigned: DuaelFr » Unassigned
Status: Needs review » Fixed

The hole which allowed anonymous users to create content without permission has been fixed by 7.x-1.0-alpha5.
I will retest some of the other features over the next day or so. Thanks!

reelstories’s picture

This is excellent news. I will be installing and retesting in the next day or so.

Thanks for patching this up quickly.

Ronen

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

Issue summary: View changes

improved grammar for more clarity.

SeanT’s picture

I'm using 7.x-1.0-alpha5 and it seems I'm still getting this bug.

With node limit, node limit role, node limit interval, node limit type enabled and no node limit configuration added, anonymous users are still able to access /node/add/xxx

I added a configuration to prevent anonymous users from creating content with
limit = 0
role = anonymous user

That blocks anonymous users from creating content, but it also blocks authenticated users from creating content.

So I added another configuration for authenticated users
limit = -1
role = authenticated user

That doesn't seem to help.

In _node_limit_violates_limit, it would loop through the 2 available configurations, and then fails (return TRUE) at the 'anonymous' configuration because $count >= $limit['nlimit']

Why does it even look at the anonymous configuration when clearly I'm an authenticated user?

SeanT’s picture

Upon further inspections, it seems to be coming from this bug https://drupal.org/node/1678202

SeanT’s picture

This patch fixes it for me https://drupal.org/node/1910874

sillygwailo’s picture

Issue summary: View changes
Status: Closed (fixed) » Active

This is still an issue in alpha5. It clashes specifically with the Mass Contact module. See #1596194: users have access through node/add. I can provide (privately) the URL to a Mass Contact page that is accessible to anonymous users. It is not related to OG since I don't have OG installed.

I tried adding a limit so that anonymous users could not post any Mass Contact nodes but that fouled things up for other content types.

sillygwailo’s picture

Perignon’s picture

Status: Active » Postponed (maintainer needs more info)

Can you provide a step by step reproduction to produce this error. I am looking at using this module on a project so I checked out this issue before I brought it into my code base and I cannot replicate this issue using a default installation of Drupal.

My steps are:

  1. drush dl drupal-7.x
  2. drush site-install.....
  3. drush dl node_limit
  4. drush en -y node_limit_userofrole, node_limit_user, node_limit_type, node_limit_role, node_limit_interval, node_limit
  5. Created new content type
  6. Created new role
  7. Set a Node Limit for the newly created content type that limits the new role to 1 node
  8. Loaded website anonymously and tried to access node/add/newcontenttype

I am blocked from creating a node.

Marking as needs more information.

abhinaba9’s picture

No such issue is being created now. An anonymous user can not add a node if it was used in the rule for node limit