Problem: Unauthorized Locking of Nodes that cannot be edited [#422870]

Take a user without permissions to view or edit some content type.

Lets say that content type nid is 45.

The said user go to the url and trigger a lock on content they are not allowed to edit or even view: http://example/node/45/edit

I can login as a user who _is_ authorized to edit and if the above user did what was mentioned, the "this document was locked by.." does in fact show up!

Additional Potentially Relevant Modules Installed: ACL, Content Access.

Comment	File	Size	Author
#4	422870-checkout-access.patch	1.34 KB	smk-ka
#3	checkout.module-check_access.patch	1.2 KB	thekevinday
#2	checkout.module-check_access.patch	1.19 KB	smk-ka
#1	checkout-6.x-2.x-lock_access_fix-1.patch	1.17 KB	thekevinday

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

thekevinday CreditAttribution: thekevinday commented 8 May 2009 at 17:53

File	Size
checkout-6.x-2.x-lock_access_fix-1.patch	1.17 KB

Comment #2

smk-ka CreditAttribution: smk-ka commented 8 May 2009 at 22:40

Status:

Active

» Needs review

File	Size
checkout.module-check_access.patch	1.19 KB

Nice catch! I've just fixed on place: node_access() requires a node object, not a nid. Otherwise this looks good to me.

Comment #3

thekevinday CreditAttribution: thekevinday commented 11 May 2009 at 14:00

File	Size
checkout.module-check_access.patch	1.2 KB

Thanks for the correction, i rushed the patch out without much testing at all...

Something still went wrong during my testing, I looked at http://api.drupal.org/api/function/node_access/6

Apparently, it should not be 'edit' but instead be 'update'.

Comment #4

smk-ka CreditAttribution: smk-ka commented 17 June 2009 at 17:23

File	Size
422870-checkout-access.patch	1.34 KB

Found a better solution using menu_get_item(): the hardwired node_access('update', ...) only checks for node edit permissions, which might be sufficient for node/%/edit, but not any other path that can be locked. For example, on node/%/outline we need to check for book.module's "administer outline" permission. This can be done by directly querying the menu system and letting it figure out the access permissions.

Comment #5

Leeteq CreditAttribution: Leeteq commented 1 September 2009 at 09:09

Subscribing.

Comment #6

thekevinday CreditAttribution: thekevinday commented 11 September 2009 at 18:43

I have had the #4 patch applied for a little while now without any related troubles popup.

Comment #7

cels CreditAttribution: cels commented 25 November 2009 at 16:50

Has anyone tested if there are problems with
· Taxonomy Access Control
· Domain Access
· Domain Access pach: multiple_node_access patch (allows you to use AND logic instead of OR logic: ALL of the access' modules must allow you to view/edit the node, not only one)

I try to reproduce the scenary and test it.

Comment #8

itsnotme CreditAttribution: itsnotme commented 2 December 2009 at 14:05

I didn't check the patches yet, but I just found out that at least some of the "unauthorized" locking was caused by users opening the revisions tab of a content.

Whoa. That is an unexpected behavior. The message "...is locked" appears, but I wonder why the lock happens at all, because revisions should only be displayed at that point.

Comment #9

stacysimpson CreditAttribution: stacysimpson commented 24 February 2010 at 19:42

Status:

Needs review

» Needs work

+1. We are also getting hit with the inadvertent locking of content when navigating to the revisions tab.

Comment #10

stacysimpson CreditAttribution: stacysimpson commented 25 February 2010 at 04:23

We've confirmed that the patch from #4 does not work with 'Taxonomy Access Control Lite', 'Module Grants' and 'Workflow Access'. The patch from #3 does work though.

We are still interested in a fix for inadvertent locking when navigating to the 'revisions' tab.

Comment #11

stacysimpson CreditAttribution: stacysimpson commented 25 February 2010 at 20:42

Got time to look through the code, the following line allows people to override the locking behavior using a variable:
$patterns = variable_get('checkout_edit_paths', "edit\nrevisions\nrevisions/*\noutline\nclassify");

We added only 'edit' to the settings.php file and it seems to work fine for us. Still believe the default setting shouldn't lock when navigating to the revisions tab.

Comment #12

itsnotme CreditAttribution: itsnotme commented 10 March 2010 at 10:44

In settings.php? Why did you do anything in that one? *confused*

I tried using the line
$patterns = variable_get('checkout_edit_paths', "edit");

but then nothing gets locked properly, despite the message being shown. Help would still be appreciated.

Comment #13

thekevinday CreditAttribution: thekevinday commented 10 March 2010 at 14:21

perhaps something like $op should be passed to the function in question so that we know if the operation is treated as an update and can handle permissions?

Comment #14

stacysimpson CreditAttribution: stacysimpson commented 11 March 2010 at 13:59

@itsnotme. The 'variable_get' function will use the provided variable's value ('checkout_edit_paths' in this instance) or the provided default value. As opposed to changing the source code, we choose to set the variable's value in settings.php.

$conf = array(
#   'site_name' => 'My Drupal site',
#   'theme_default' => 'minnelli',
#   'anonymous' => 'Visitor',
   'checkout_edit_paths' => 'edit',
);

Looks like it appropriately locks the node (on edit only) to me.

Comment #15

EugenMayer CreditAttribution: EugenMayer commented 11 March 2010 at 19:20

You might want check http://drupal.org/project/content_lock . Its a fork(and partially rewrite) of checkout and activly maintained. It does not seem that checkout is maintained anymore (not officially confirmed though)