Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Take a user without permissions to view or edit some content type.
Lets say that content type nid is 45.
The said user go to the url and trigger a lock on content they are not allowed to edit or even view: http://example/node/45/edit
I can login as a user who _is_ authorized to edit and if the above user did what was mentioned, the "this document was locked by.." does in fact show up!
Additional Potentially Relevant Modules Installed: ACL, Content Access.
Comment | File | Size | Author |
---|---|---|---|
#4 | 422870-checkout-access.patch | 1.34 KB | smk-ka |
#3 | checkout.module-check_access.patch | 1.2 KB | thekevinday |
#2 | checkout.module-check_access.patch | 1.19 KB | smk-ka |
#1 | checkout-6.x-2.x-lock_access_fix-1.patch | 1.17 KB | thekevinday |
Comments
Comment #1
thekevinday CreditAttribution: thekevinday commentedComment #2
smk-ka CreditAttribution: smk-ka commentedNice catch! I've just fixed on place: node_access() requires a node object, not a nid. Otherwise this looks good to me.
Comment #3
thekevinday CreditAttribution: thekevinday commentedThanks for the correction, i rushed the patch out without much testing at all...
Something still went wrong during my testing, I looked at http://api.drupal.org/api/function/node_access/6
Apparently, it should not be 'edit' but instead be 'update'.
Comment #4
smk-ka CreditAttribution: smk-ka commentedFound a better solution using menu_get_item(): the hardwired node_access('update', ...) only checks for node edit permissions, which might be sufficient for node/%/edit, but not any other path that can be locked. For example, on node/%/outline we need to check for book.module's "administer outline" permission. This can be done by directly querying the menu system and letting it figure out the access permissions.
Comment #5
Leeteq CreditAttribution: Leeteq commentedSubscribing.
Comment #6
thekevinday CreditAttribution: thekevinday commentedI have had the #4 patch applied for a little while now without any related troubles popup.
Comment #7
cels CreditAttribution: cels commentedHas anyone tested if there are problems with
· Taxonomy Access Control
· Domain Access
· Domain Access pach: multiple_node_access patch (allows you to use AND logic instead of OR logic: ALL of the access' modules must allow you to view/edit the node, not only one)
I try to reproduce the scenary and test it.
Comment #8
itsnotme CreditAttribution: itsnotme commentedI didn't check the patches yet, but I just found out that at least some of the "unauthorized" locking was caused by users opening the revisions tab of a content.
Whoa. That is an unexpected behavior. The message "...is locked" appears, but I wonder why the lock happens at all, because revisions should only be displayed at that point.
Comment #9
stacysimpson CreditAttribution: stacysimpson commented+1. We are also getting hit with the inadvertent locking of content when navigating to the revisions tab.
Comment #10
stacysimpson CreditAttribution: stacysimpson commentedWe've confirmed that the patch from #4 does not work with 'Taxonomy Access Control Lite', 'Module Grants' and 'Workflow Access'. The patch from #3 does work though.
We are still interested in a fix for inadvertent locking when navigating to the 'revisions' tab.
Comment #11
stacysimpson CreditAttribution: stacysimpson commentedGot time to look through the code, the following line allows people to override the locking behavior using a variable:
$patterns = variable_get('checkout_edit_paths', "edit\nrevisions\nrevisions/*\noutline\nclassify");
We added only 'edit' to the settings.php file and it seems to work fine for us. Still believe the default setting shouldn't lock when navigating to the revisions tab.
Comment #12
itsnotme CreditAttribution: itsnotme commentedIn settings.php? Why did you do anything in that one? *confused*
I tried using the line
$patterns = variable_get('checkout_edit_paths', "edit");
but then nothing gets locked properly, despite the message being shown. Help would still be appreciated.
Comment #13
thekevinday CreditAttribution: thekevinday commentedperhaps something like
$op
should be passed to the function in question so that we know if the operation is treated as an update and can handle permissions?Comment #14
stacysimpson CreditAttribution: stacysimpson commented@itsnotme. The 'variable_get' function will use the provided variable's value ('checkout_edit_paths' in this instance) or the provided default value. As opposed to changing the source code, we choose to set the variable's value in settings.php.
Looks like it appropriately locks the node (on edit only) to me.
Comment #15
EugenMayer CreditAttribution: EugenMayer commentedYou might want check http://drupal.org/project/content_lock . Its a fork(and partially rewrite) of checkout and activly maintained. It does not seem that checkout is maintained anymore (not officially confirmed though)