My specific problem: I'm using EVA to attach a view to a node, and then Views Data Export to attach a download link to that view. I want to give the download link a url like "node/%/mycsv.csv", and have this path be protected same as the node. More generally, shouldn't all paths following 'node/nid' (besides the admin ones like /edit and /delete) be protected exactly as the node page itself is?
In protected_node.module, I find this code:
elseif (($param2 == 'done' && module_exists('webform')) || ($param2 == 'mid' && module_exists('nodesymlinks')) || ($param2 == 'register' && module_exists('registration'))) {
$nid = protected_node_is_locked(arg(1), 'view');
}
else {
// Any access right?
$nid = protected_node_is_locked(arg(1));
}
Why do we have to in effect whitelist the parameter following nid to not get Access Denied? I don't understand the parameters being passed to protected_node_is_locked.
Comment | File | Size | Author |
---|---|---|---|
#3 | protected_node-subpaths-2555557-3.patch | 1.09 KB | digitgopher |
Comments
Comment #2
GrimreaperHello digitgopher,
I also think that whitelisting is not a sustainable way to do that. If you want to provide this easy patch, I will merged it.
About the parameters passed to protected_node_is_locked, arg(1), is the node_id is we are on a page like node/123. and the second parameter is the operation, 'view', 'edit', 'delete'
Comment #3
digitgopher CreditAttribution: digitgopher commentedOk, this is what makes sense to me.
Is it what you had in mind?
Comment #5
GrimreaperExactly. Thanks this is merged now.