Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.The user_access function in user.module returns the results of the strstr() function, which returns a string, not a Boolean like the documentation suggests. This was screwing things up for me since flexinode relies on user_access for it's node_access('create'..) functionality.
The attached patch uses strpos instead of strstr. It was created from a 4.5 codebase, but I noticed that the same issue is in HEAD as well. I'm using it on my dev site, and node_access('create'..) calls are now working properly and nothing I'm using seems to have any problems with it.
| Comment | File | Size | Author |
|---|---|---|---|
| #14 | user_access_bug_0.patch | 513 bytes | killes@www.drop.org |
| #13 | user-permissions.patch | 2.83 KB | killes@www.drop.org |
| user_access_bug.patch | 473 bytes | javanaut | |
Comments
Comment #1
(not verified) CreditAttribution: commented+ return strpos($perm[$account->uid], "$string, ") !== FALSE ? TRUE : FALSE;could be written more simply as
+ return strpos($perm[$account->uid], "$string, ") !== FALSE;Keep in mind it's also possible to type-cast the result of strstr to a boolean value (i.e.
return (bool) strstr($perm[$account->uid], "$string, ");)... I am unsure as to whether strstr or strpos would be faster... perhaps a quick benchmark could answer the question of which we should use.Comment #2
javanaut CreditAttribution: javanaut commentedHeh, after posting that, I realized what I had done, but never got back around to simplifying it. Good eye.
Comment #3
tangent CreditAttribution: tangent commentedThe PHP docs claim that strpos is faster and less memory intensive than strstr.
For what it's worth, the second statement below does not seem more simple or readable than the first to me though it's hard to say if casting an int as a boolean is more or less performant than performing a logical comparison.
Comment #4
javanaut CreditAttribution: javanaut commentedThe security flaw that this fixes is where strstr finds too man positive results. Example:
module A has permission "type A create content" (Allowed for role)
module B has permission "create content" (Disallowed for role)
user_access("create content") is run for module B and returns non-FALSE, non-null results, even though the role is disallowed. Avoiding this would require a permission naming convention such that no permission were a substring of another.
Comment #5
tangent CreditAttribution: tangent commentedPermissions are comma delimited aren't they? The comma space in the string would handle this IIRC.
Comment #6
javanaut CreditAttribution: javanaut commentedIn this example, the search string passed to strstr becomes:
"create content, "
The main list of permissions being searched would contain the string:
"type A create content, "
..which would match. This problem may not be resolved by this fix, btw.
Comment #7
tangent CreditAttribution: tangent commentedWhile a regular expression would resolve this symptom, this example demonstrates that using only strings to identify permissions is not very robust. Is there a reason (performance would be a good one but only so far) that permissions aren't stored with an index?
Comment #8
Dries CreditAttribution: Dries commentedWould it be possible to implode() the permissions string and to use in_array() ?
Comment #9
(not verified) CreditAttribution: commentedDries: Possible, but not desirable. in_array is a rather slow function.
I'd rather put the permissions as keys of an array $perm and use isset($perm['do something']). We should then probably store serialized arrays in the table. That is ok, because the table is a sort of cache. Gerhard
Comment #10
Dries CreditAttribution: Dries commentedFine with me.
Comment #11
JonBob CreditAttribution: JonBob commentedIf we use such an array, we need to use array_key_exists() rather than isset() to avoid strict/PHP5 errors.
Comment #12
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedJonBob: I don't think so. If the array is defined, then we can use isset to ask if a particular index exists.
Comment #13
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedHere is an untested patch as proof of concept.
Comment #14
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedUpdated javanaut's patch according to anonymous' suggestion. A more thorough approach would be preferable of course.
Comment #15
Dries CreditAttribution: Dries commentedjavanaut: can you confirm that #14 is working for you? (This could do with being documented in the code.)
Comment #16
javanaut CreditAttribution: javanaut commentedLooks functional to me. +1
Comment #17
Dries CreditAttribution: Dries commentedjavanaut: I assume you haven't tested it yet. Because you're capable of reproducing the bug, would you mind giving this a try?
Comment #18
javanaut CreditAttribution: javanaut commentedI haven't upgraded the module that manifests this bug to CVS yet. Its functionally is identical to the patch I submitted, and I even tested this revised patch (#14) out on a 4.5.2 installation and the module in question works fine. I can test it out on 4.6rc/cvs, but it may be a small while before I upgrade the module in question. I did run it on a bare CVS installation and it is working fine for me.
Today must be bugfix Friday :)
Comment #19
Steven CreditAttribution: Steven commentedCommitted to HEAD/4.6.
Comment #20
(not verified) CreditAttribution: commentedComment #21
(not verified) CreditAttribution: commentedComment #22
(not verified) CreditAttribution: commentedComment #23
(not verified) CreditAttribution: commentedComment #24
(not verified) CreditAttribution: commented