Core modules implement hook_access incorrectly

Here's the patch.

Actually, there's some more confusion here (either in my head or in the function; apologies if the former). It seems like parts of this function use the global $user variable and parts use the passed-in $account. I would think that $user should only be used when $account is not passed in.

OK, it turns out that there is a wider problem. Many of the core modules do not implement hook_access() correctly. In particular, when a user $account is passed in, they will occasionally ignore it and do permission checks against the global $user account (i.e., the currently logged-in user) instead.

I think this patch should take care of it -- it removes all references to the global $user account from the offending functions and instead forces them to use the passed-in $account parameter. (One reason for the problem might be that the documentation for hook_access at http://api.drupal.org/api/function/hook_access/6 is not up to date; it does not reference the $account parameter which is now passed in when this hook is called).

I am marking this as "critical" since doing permission checks against a different user than the one which was requested is obviously a potential security flaw. However, I'm not sure how critical it is in practice, given the way hook_access is called from within Drupal core... but either way, it should be fixed. Thanks.

I don't have a CVS account, so I posted a patch to update the hook_access() docs here: http://drupal.org/node/206401