I'm not 100%, hence no security report, but I suspect live.module.

What happens: When I edit some node (article, page) as user of "webmaster role" (all rights but not user/1) and hit preview I see the preview allright. But when I actually safe the node suddenly I see less links/content. When I go to /user I'm directed to the node's author user. I have to log out and back in again as webmaster.

The node's author's group has rights to use live.module on nodes and edit own nodes.

Cheers.

Comments

arhip’s picture

arhip commented

Experiencing this too.

frjo’s picture

frjo commented

I to see this problem. Not tested but I suspect line 46-57 in live.node.inc. The variable $user is being set here and since there is a "global $user" at the start of the function the global user object is being messed with.

I believe $user should be replaced with $account instead, like this.

    if ($account = user_load(array('name' => $node->name))) {
      $node->uid = $account->uid;
      $node->picture = $account->picture;
    }
    else {
      $node->uid = 0; // anonymous user
    }
  }
  else if ($node->uid) {
    $account = user_load(array('uid' => $node->uid));
    $node->name = $account->name;
    $node->picture = $account->picture;
Anonymous’s picture

Anonymous (not verified) commented
Version: 6.x-0.1 » 6.x-1.0

Hi everybody!

I confim this effect. I use the latest stable release (6.x-1.0) and I can repeat this "feature" in any direction. So it's no matter if I was UserA and change the autor to UserB or vice versa.
If I save the change without a preview with Live-Module (logged in as UserA) nothing special happen. The autor ist UserB and I'm furthermore logged in as UserA.
But if I take a preview with Live-Modul and then save the Article, I'm suddenly logged in as UserB.

Sven

PS: Excuse me, but I'm not a native english speaker ;-)

Gurpartap Singh’s picture

Gurpartap Singh commented
Status: Active » Fixed

http://drupal.org/node/534976

heine’s picture

heine commented

I'm not 100%, hence no security report, but I suspect live.module.

If you are not 100% sure, please report it as a security issue, we can always go to the public queue, but never vv.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.