I was trying to use nodeaccess to make a quiz on my site inaccessible except by certain users, but all users were still able to obtain access despite my configuration efforts. I could get the permissions set as I wanted with other node types, but quiz node types were giving me a problem.

I believe I have fixed this issue by changing line 45 of quiz.module from

if ($op == 'view') {

to

if ($op == 'view' && $user->uid == $node->uid && $user->uid != 0) {

That addition to the expression was copied I believe from node.module.

Someone let me know if this doesn't solve this issue -- or if I was the only one with this issue.

Comments

skeftomai’s picture

skeftomai CreditAttribution: skeftomai commented

In order to be able to access the node subpages of the quiz as well (e.g. node/18/quiz/start), it was necessary to comment out lines 129, 138, and 146 (that may be off a line or two). The access checks in the menu arrays, for instance

'access' => user_access('access quiz'),

were causing Access Denied errors.

This *apparently* doesn't mess anything up, either. I created a new quiz (with and without nodeaccess enabled), and I was able to access the quiz and its subpages just fine when access quiz permission was enabled, and I was unable to do so when it was disabled.

Hope this helps someone. Post if you have problems.

add1sun’s picture

add1sun CreditAttribution: add1sun commented
Status: Needs review » Postponed (maintainer needs more info)

What configuration were you using that wasn't working? If I understand correctly, you want a subset of your users to be able to access the quizzes? If so, that would be best accomplished by creating a role for those users and only giving "access quiz" rights to that role. If that is not what you are trying to do, please explain in more detail what you are trying to do and what steps you had taken (outside of hacking the code directly).

Your proposed solution of hard-coding in the uid=node uid and non-anon users may work for your use case but isn't something that we can add to the module since many people don't want those restrictions. Also commenting out the access control in the module isn't a good solution either.

Maybe if we understand what the underlying issue is we can come up with a solution for you that doesn't involve breaking the module. ;-)

skeftomai’s picture

skeftomai CreditAttribution: skeftomai commented

Cool. Yes, what I want is to allow only users who have purchased the quiz (I'm using Ubercart) to be access the quiz -- and only quizzes they've purchased. I wrote an Ubercart/Drupal module which grants access to the quiz via nodeaccess upon purchase (I have not published this or finished testing this, yet).

I intend to have capability of having multiple quizzes on the site, and so I don't want to have to create n roles for n quizzes. Nodeaccess, IMO, is a more optimal solution (that's just my opinion, though) than creating new roles.

savejonas’s picture

savejonas CreditAttribution: savejonas commented

I am also having the same problem. My site has multiple quizzes and each quiz has a corresponding role. This way, people who purchased one quiz will not be able to access other quizzes. Node access seems to have no effect on the quiz permissions although it does work on other nodes such as page and story.

awong’s picture

awong CreditAttribution: awong commented
Category: bug » feature

I think this is a feature request. I just change the category to feature request.

westwesterson’s picture

westwesterson CreditAttribution: westwesterson commented

we probably need to pass the queries which show up on pages through db_rewrite_sql(), then in theory all the node access modules will be happy.

westwesterson’s picture

westwesterson CreditAttribution: westwesterson commented
Version: 5.x-1.x-dev » 6.x-2.x-dev

oh and new features go in head ;)

Jan Schejbal’s picture

Jan Schejbal CreditAttribution: Jan Schejbal commented

I found a solution/workaround that seems quite "clean" to me:
Change quiz_access() so it returns NULL where it returned true in the past. Then, node_access (which calls quiz_access) will use the rights set in the node_access table. Still return FALSE in the cases you already did. This will cause node_access to deny access if quiz_access says "no" (FALSE).

So in order to access a quiz (view permission), user_access('access quiz') must be true (otherwise quiz_access will return FALSE and no access will be allowed no matter what the node permissions are), AND the access must be allowed in the node_access table. This will work if a node access plugin is being used, I do not know what happens if there is none, but maybe no access will be possible.

Maybe the correct way is to return NULL instead of FALSE (and not instead of TRUE). This is the way the poll module does it (just have a look). This way a user would need either the "access quiz" permission (globally) OR the "view" permission for THIS node via the node_access table. I guess this is a better way to do it but more places need to be changed for that (as there are other places where a missing access quiz permission will lead to failure).

mbutcher’s picture

mbutcher CreditAttribution: mbutcher commented
Version: 6.x-2.x-dev » 6.x-3.x-dev

Moved to 3.x so that it has a chance of getting into the next release.

This *might* already be fixed in 3.x. I changed the access system to work in the "standard" way, and that should be compatible with node access.

turadg’s picture

turadg CreditAttribution: turadg commented

Can anyone confirm whether or not this is fixed in 3.0?

djdevin’s picture

djdevin
Location Philadelphia
CreditAttribution: djdevin at Cadmium commented
Component: Code » Code - Quiz core
Issue summary: View changes
Status: Postponed (maintainer needs more info) » Closed (outdated)