Don't call node_access_view_all_nodes()/add distin if user has user_access('administer nodes') permission in node_db_rewrite_sql [#1888720]

/**
 * Implementation of hook_db_rewrite_sql
 */
function node_db_rewrite_sql($query, $primary_table, $primary_field) {
  if ($primary_field == 'nid' && !node_access_view_all_nodes()) {
    $return['join'] = _node_access_join_sql($primary_table);
    $return['where'] = _node_access_where_sql();
    $return['distinct'] = 1;
    return $return;
  }
}

Both the join and where clauses have checks for administer nodes permission, so the effect of db_rewrite_sql for an administer (with "administer nodes" permission) is that node_access_view_all_nodes is still run (extra query) and the distinct added -- that seems incorrect.

Adding the check to db_rewrite_sql and not changing node_access_view_all_nodes as the function comment indicates it's for specially checking for that grant, and not for checking if user can view all nodes despite what the function name applies (so changing it seems like an api change).

This patch does have the effect of removing a distinct that some bad queries may have been relying on :/.

(Not sure if node_access_view_all_nodes is called in d7 despite bypass node access permission, as node_db_rewrite_sql is gone and didn't look further into it).

Comment	File	Size	Author
	node_db_rewrite_sql_check_perm.patch	30.55 KB	hefox

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

2 March 2016 at 22:18

Status:

Needs review

» Closed (outdated)

Automatically closed because Drupal 6 is no longer supported. If the issue verifiably applies to later versions, please reopen with details and update the version.