Sorry for the maybe confusing title, I will explain it here :
Consider a site with to vocab A & B with terms associated. We configure a node type, let say story, to post in both vocab.
Now take a user "jack", Jack's role has the "create access" for all terms of vocab A in "categories access" but none of vocab B.
When Jack decide to create a story, he will see all granted terms from vocab A (that perfect), and he will see a empty select for vocab B. That's bad because vocab B can refer to confidential part of the site and Jack doesn't have to know that...

The problem came from taxonomy_node_form we have :

  $c = db_query("SELECT v.*, n.type FROM {vocabulary} v INNER JOIN {vocabulary_node_types} n ON v.vid = n.vid WHERE n.type = '%s' ORDER BY v.weight, v.name", $type);
  while ($vocabulary = db_fetch_object($c)) {
    $result[] = taxonomy_form($vocabulary->vid, $terms, $help, $name);
  }

The problem is that this query will select all vocabulary associated to node type without looking if user have the right to associate node with at least one of the term for all selected category.

So I propose to change the query by something a little more complicated (sorry it's very rough, I'm sure it needs a lot of improvments, but thats for the idee) :

  if (function_exists('taxonomy_access')) {
    global $user;
    $c = db_queryd("SELECT DISTINCT v. * , n.type FROM {term_access} ta INNER JOIN {term_data} td ON ta.tid = td.tid INNER JOIN {vocabulary} v ON v.vid = td.vid INNER JOIN {vocabulary_node_types} n ON v.vid = n.vid WHERE n.type = '%s' AND ta.rid IN (%s) AND ta.grant_create = 1 ORDER BY v.weight, v.name", $type, implode(',', array_keys($user->roles)));
  }
  else {
    $c = db_query("SELECT v.*, n.type FROM {vocabulary} v INNER JOIN {vocabulary_node_types} n ON v.vid = n.vid WHERE n.type = '%s' ORDER BY v.weight, v.name", $type);
  }
  
  while ($vocabulary = db_fetch_object($c)) {
    $result[] = taxonomy_form($vocabulary->vid, $terms, $help, $name);
  }

Now we only select vocab regarding of user grant for the sub terms. If user get no grant for at least a term in a given vocab, then he won't see an empty select ;)

Comments

Coyote’s picture

Coyote commented

I applied this patch, only to discover that _apparently_, it prevents the image.module from functioning properly.

I'm not sure why, but when this patch is applied, you can no longer assign an image to any vocabularies or terms.

When I remove the patch, everything seems to be fine. But when I apply the patch, everything works for me (so far) _except_ images.

I've really been pulling my hair out over this. The darn image module seems so quirky anyway. (Apparently, sometimes, it "loses" which vocabulary images are supposed to be attached to for galleries. I originally thought that was the problem, since I've had it before. But upon experimentation, I discovered that disabling this patch and putting things back they way they were before fixed the problem with images going into galleries.

I just can't seem to figure out enough of how Drupal handles taxonomy and permissions and all that to even know what it is about the query formed by the above patch to even know what's wrong.

Since everything _except_ images seems to be working with this patch, I'm going to try adding another "if" statement to trap out _just_ for the image type (and use just the normal query for images).

But I suspect that if this patch won't work for images, if it's something to do with it having a "special" taxonomy, that there may also be problems with forum posts, - we'll see.

Coyote’s picture

Coyote commented

Okay, this is strange... apparently it wasn't just images. Apparently this patch doesn't work for me at all.

I _think_ it's that even if I'm signed in as the admin user, if no other roles I have access to are given a certain privilege, it keeps me from seeing anything, as if I weren't the super user.

In other words, this patch does it's check for role-based permissions, and doesn't override that for the admin.

I think. Unless I'm just totally confused, which is possible. : )

tostinni’s picture

tostinni commented

Hi,
Can you give me some clues/step to reproduce your problem ?
I don't understood it :(
What do you tell by "prevent me to see anything" ? Are you speaking about taxonomies ? Do you have configured the right taxonomies permission to your role (create and edit) ?

keve’s picture

keve commented
Status: Needs review » Fixed

This bug has been solved here (in a different way):
http://drupal.org/node/45632

If you have trouble at submitting image, please submit a bug new report.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)