Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I noticed that in node_content_access(), the $account parameter is not passed through to user_access() when delete permissions are being checked (but it is passed through when "edit" and "create" permissions are checked). I'm not entirely sure what the consequences of this would be, but it seems like a bug, so a patch is attached.
Comment | File | Size | Author |
---|---|---|---|
#3 | hook_access_account.patch | 3.04 KB | David_Rothstein |
#1 | node_content_access.patch | 757 bytes | David_Rothstein |
Comments
Comment #1
David_Rothstein CreditAttribution: David_Rothstein commentedHere's the patch.
Comment #2
David_Rothstein CreditAttribution: David_Rothstein commentedActually, there's some more confusion here (either in my head or in the function; apologies if the former). It seems like parts of this function use the global $user variable and parts use the passed-in $account. I would think that $user should only be used when $account is not passed in.
Comment #3
David_Rothstein CreditAttribution: David_Rothstein commentedOK, it turns out that there is a wider problem. Many of the core modules do not implement hook_access() correctly. In particular, when a user $account is passed in, they will occasionally ignore it and do permission checks against the global $user account (i.e., the currently logged-in user) instead.
I think this patch should take care of it -- it removes all references to the global $user account from the offending functions and instead forces them to use the passed-in $account parameter. (One reason for the problem might be that the documentation for hook_access at http://api.drupal.org/api/function/hook_access/6 is not up to date; it does not reference the $account parameter which is now passed in when this hook is called).
I am marking this as "critical" since doing permission checks against a different user than the one which was requested is obviously a potential security flaw. However, I'm not sure how critical it is in practice, given the way hook_access is called from within Drupal core... but either way, it should be fixed. Thanks.
Comment #4
moshe weitzman CreditAttribution: moshe weitzman commentedi reviewed and tested this. looks good.
Comment #5
Gábor HojtsyReviewed. Looks good, committed, thanks.
Comment #6
Gábor HojtsyYou can update the hook_access() docs in contributions/docs. Please do so.
Comment #7
David_Rothstein CreditAttribution: David_Rothstein commentedI don't have a CVS account, so I posted a patch to update the hook_access() docs here: http://drupal.org/node/206401
Comment #8
(not verified) CreditAttribution: commentedAutomatically closed -- issue fixed for two weeks with no activity.