Unlike the core tracker and tracker lite, Xtracker appears to list all nodes in its recent posts page, regardless of whether or not the user has permissions to list that node (no permissions to list the taxonomy term). I'm using taxonomy_access.

Is this a feature or a bug?

I took a look at each of the modules to see if I can see how they were handling their queries, but my SQL is so rusty I might as well have been trying to program with punch cards.

Patrick

Files: 

Comments

bradlis7’s picture

I'm sure it's a bug, because if a user doesn't have access to a node, they shouldn't even know that the node exists.

funana’s picture

Version:4.6.x-1.x-dev» master

Same in CVS. It shows all nodetypes even if the user shouldnt have access.

Christefano-oldaccount’s picture

I'm looking forward to this being fixed.

pcdonohue’s picture

Status:Active» Needs review
StatusFileSize
new551 bytes

All right,

I don't use this module anymore, but since I posted the original issue I thought I'd take a look at it again and post a fix. The included patch is against the below version.
// $Id: xtracker.module,v 1.5 2006/05/16 17:01:42 wafaa Exp $

I updated the xtracker_page function's main loop with a call to node_access for each node returned from the funtion's db query.

<?php
 
while ($node = db_fetch_object($result)) {
   
// check user rights
   
if (!node_access('view',node_load(array('nid' => $node->nid)))) {
        continue;
    }
   
// Determine the number of comments:
      
$comments = 0;
...
?>

So if the user doesn't have access privileges to view the node it skips the node while building the list of recent posts.

This seems to do the trick, but test it on your own and see if it works.

Patrick

Christefano-oldaccount’s picture

Tabs for content types unavailable to users are still shown, but at long last the posts themselves are hidden. Thanks, pcdonohue!

ednique’s picture

StatusFileSize
new611 bytes

Here's the taxonomy access fix...
It is rather simple...
I've used it on several modules...

Use db_rewrite_sql() and the security sql is added to the query in case it is needed...