Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Currently a user may edit/delete/view a comments even if they cannot access the node of those comments.
Inclusion in the administer listing was handled #904214: Users with 'administer comments' should not be able to see the titles of unpublished nodes nor view/edit their comments but not the access to the view/delete menu entries
Based on IRC discussion, the current official security stance is users do not need to be able to view a node to view the comments of the node.
Comment | File | Size | Author |
---|---|---|---|
#21 | drupal_1781766_comment_access-21.patch | 51.28 KB | hefox |
#10 | drupal_1781766_comment_access-9.patch | 48.04 KB | hefox |
#8 | drupal_1781766_comment_access-7.patch | 48.04 KB | hefox |
#4 | drupal_1781766_comment_access-4.patch | 10.14 KB | hefox |
#1 | drupal_1781766_comment_access-1.patch | 2.97 KB | hefox |
Comments
Comment #1
hefox CreditAttribution: hefox commentedHere's a quick, untested patch that updates comment_access function and the menu callbacks.
Comment #3
salvisI definitely agree with the direction of this effort.
Comments on a node (entity) must be protected exactly like the node (entity) that they belong to. They contain quotes of and relate to the content of their parent. Not protecting the comments would betray obvious common sense expectations.
Comment #4
hefox CreditAttribution: hefox commentedNeed to use %comment in the hook_menus.
Also, a very basic attempt to update the tests. Moduled after some node access tests I saw, and thus added , $account as a parameter to comment_access that defaults to $user.
Comment #5
hefox CreditAttribution: hefox commentedComment #7
hefox CreditAttribution: hefox commentedComment #8
hefox CreditAttribution: hefox commentedWent to update the patch and ran into the issue that postComment returns this really weird object made via entity_create that is the same type as a comment object, but it used keys like ->id instead of ->cid, ->comment instead of comment_body, etc. Asked in #drupal-contribute if there was any reason for it, but no one there saw a reason. I could have worked around, but instead I changed it so it returns comment_load for the new comment, which meant updating a lot of other places.
This is sometimes passing local comment tests (not sure what's up), so let's see how it does here.
Comment #10
hefox CreditAttribution: hefox commentedLocal tests still running, but let's see if this works
Comment #12
hefox CreditAttribution: hefox commentedMessed up updating patch
Comment #13
hefox CreditAttribution: hefox commentedComment #14
hefox CreditAttribution: hefox commentedComment #15
hefox CreditAttribution: hefox commentedComment #17
hefox CreditAttribution: hefox commentedComment #19
hefox CreditAttribution: hefox commentedComment #21
hefox CreditAttribution: hefox commentedComment #21.0
hefox CreditAttribution: hefox commentedChanging wording as issue mentioned does touch on edit
Comment #24
LoMo CreditAttribution: LoMo as a volunteer commentedI agree with what salvis said in #3 and would actually suggest that this issue should be a "Bug report" with priority-level: "Major", i.e. not so low priority as a "Feature request" with priority "Normal"
Comment #25
salvisComment #34
pameeela CreditAttribution: pameeela commentedThis works now. Steps to test: