Currently a user may edit/delete/view a comments even if they cannot access the node of those comments.

Inclusion in the administer listing was handled #904214: Users with 'administer comments' should not be able to see the titles of unpublished nodes nor view/edit their comments but not the access to the view/delete menu entries

Based on IRC discussion, the current official security stance is users do not need to be able to view a node to view the comments of the node.

CommentFileSizeAuthor
#21 drupal_1781766_comment_access-21.patch51.28 KBhefox
#19 drupal_1781766_comment_access-19.patch49.37 KBhefox
#17 drupal_1781766_comment_access-17.patch51.27 KBhefox
#15 drupal_1781766_comment_access-15.patch49.16 KBhefox
#12 drupal_1781766_comment_access-12.patch49.81 KBhefox
#10 drupal_1781766_comment_access-9.patch48.04 KBhefox
#8 drupal_1781766_comment_access-7.patch48.04 KBhefox
#4 drupal_1781766_comment_access-4.patch10.14 KBhefox
#1 drupal_1781766_comment_access-1.patch2.97 KBhefox
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

hefox’s picture

hefox CreditAttribution: hefox commented
FileSize
drupal_1781766_comment_access-1.patch2.97 KB

Here's a quick, untested patch that updates comment_access function and the menu callbacks.

Status: Needs review » Needs work

The last submitted patch, drupal_1781766_comment_access-1.patch, failed testing.

salvis’s picture

salvis
he/his
CreditAttribution: salvis commented

I definitely agree with the direction of this effort.

Comments on a node (entity) must be protected exactly like the node (entity) that they belong to. They contain quotes of and relate to the content of their parent. Not protecting the comments would betray obvious common sense expectations.

hefox’s picture

hefox CreditAttribution: hefox commented
FileSize
drupal_1781766_comment_access-4.patch10.14 KB

Need to use %comment in the hook_menus.

Also, a very basic attempt to update the tests. Moduled after some node access tests I saw, and thus added , $account as a parameter to comment_access that defaults to $user.

hefox’s picture

hefox CreditAttribution: hefox commented
Status: Needs work » Needs review

Status: Needs review » Needs work

The last submitted patch, drupal_1781766_comment_access-4.patch, failed testing.

hefox’s picture

hefox CreditAttribution: hefox commented
Assigned: Unassigned » hefox
hefox’s picture

hefox CreditAttribution: hefox commented
Status: Needs work » Needs review
FileSize
drupal_1781766_comment_access-7.patch48.04 KB

Went to update the patch and ran into the issue that postComment returns this really weird object made via entity_create that is the same type as a comment object, but it used keys like ->id instead of ->cid, ->comment instead of comment_body, etc. Asked in #drupal-contribute if there was any reason for it, but no one there saw a reason. I could have worked around, but instead I changed it so it returns comment_load for the new comment, which meant updating a lot of other places.

This is sometimes passing local comment tests (not sure what's up), so let's see how it does here.

Status: Needs review » Needs work

The last submitted patch, drupal_1781766_comment_access-7.patch, failed testing.

hefox’s picture

hefox CreditAttribution: hefox commented
Status: Needs work » Needs review
FileSize
drupal_1781766_comment_access-9.patch48.04 KB

Local tests still running, but let's see if this works

Status: Needs review » Needs work

The last submitted patch, drupal_1781766_comment_access-9.patch, failed testing.

hefox’s picture

hefox CreditAttribution: hefox commented
FileSize
drupal_1781766_comment_access-12.patch49.81 KB

Messed up updating patch

hefox’s picture

hefox CreditAttribution: hefox commented
Status: Needs work » Needs review
hefox’s picture

hefox CreditAttribution: hefox commented
Assigned: hefox » Unassigned
hefox’s picture

hefox CreditAttribution: hefox commented
FileSize
drupal_1781766_comment_access-15.patch49.16 KB

Status: Needs review » Needs work

The last submitted patch, drupal_1781766_comment_access-15.patch, failed testing.

hefox’s picture

hefox CreditAttribution: hefox commented
Status: Needs work » Needs review
FileSize
drupal_1781766_comment_access-17.patch51.27 KB

Status: Needs review » Needs work

The last submitted patch, drupal_1781766_comment_access-17.patch, failed testing.

hefox’s picture

hefox CreditAttribution: hefox commented
Status: Needs work » Needs review
FileSize
drupal_1781766_comment_access-19.patch49.37 KB

Status: Needs review » Needs work

The last submitted patch, drupal_1781766_comment_access-19.patch, failed testing.

hefox’s picture

hefox CreditAttribution: hefox commented
Status: Needs work » Needs review
FileSize
drupal_1781766_comment_access-21.patch51.28 KB
hefox’s picture

hefox CreditAttribution: hefox commented
Issue summary: View changes

Changing wording as issue mentioned does touch on edit

anavarre queued 21: drupal_1781766_comment_access-21.patch for re-testing.

Status: Needs review » Needs work

The last submitted patch, 21: drupal_1781766_comment_access-21.patch, failed testing.

LoMo’s picture

LoMo CreditAttribution: LoMo as a volunteer commented
Issue summary: View changes

I agree with what salvis said in #3 and would actually suggest that this issue should be a "Bug report" with priority-level: "Major", i.e. not so low priority as a "Feature request" with priority "Normal"

salvis’s picture

salvis
he/his
CreditAttribution: salvis as a volunteer commented
Category: Feature request » Bug report
Priority: Normal » Major

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

pameeela’s picture

pameeela CreditAttribution: pameeela commented
Status: Needs work » Closed (works as designed)
Issue tags: +Bug Smash Initiative

This works now. Steps to test:

  1. Create a user with permission to administer comments but not view unpublished nodes
  2. Create an unpublished node and add a comment
  3. Attempt to view the comment on the unpublished node with the test user
  4. Get Access Denied