I have a "Filtered HTML Extended" input format which is used by a few people (editors and moderators) on a site. Normal members and anonymous users don't have access to this input format.
The problem begins when a comment is submitted in the above input format ("Filtered HTML Extended"). When a user that doesn't have access to this input format views that comment, the signature will read "n/a".
I've tracked this down to check_markup(), which user.module calls in user_comment(), to filter the signature before appending it to the comment. I believe FALSE should be passed as a third parameter to check_markup(), which effectively bypasses the filter_access() check, allowing anyone to view the signature without requiring them to have access to the input format the comment is written in.
As I'm not an experienced Drupal developer, I may be missing something critical here, so I'm attaching my proposed patch for review.
Any feedback is welcome! :)
Comment | File | Size | Author |
---|---|---|---|
#1 | drupal.user-comment-signature.patch | 2.48 KB | sun |
user_comment_signature.patch | 570 bytes | foutrelis | |
Comments
Comment #1
sunRe-rolled for HEAD.
RTBC if bot passes.
Comment #2
sunNo.
Comment #3
webchickLet's get some tests here too. If this has been broken for 16 months, it's likely to break again.
I'm not sure about passing in FALSE there though; that seems like it'll introduce a security vulnerability. But testing will let us know that too. :)
Comment #4
sunComment #5
David_Rothstein CreditAttribution: David_Rothstein commentedSubscribe. It seems like passing in FALSE is required to fix the bug, I think? In general, using TRUE is rarely (never?) needed for security reasons... see #446518: Remove $check argument from check_markup()
Comment #6
geerlingguy CreditAttribution: geerlingguy commentedD'oh! Just encountered this issue on a new site I'm building. Would be nice to have it fixed, then backported to D6.
Comment #8
sunThis bug only exists in D6. I'm not particularly interested in D6.
Comment #9
Numline1 CreditAttribution: Numline1 commenteduser_comment_signature.patch queued for re-testing.