Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Unlike the core tracker and tracker lite, Xtracker appears to list all nodes in its recent posts page, regardless of whether or not the user has permissions to list that node (no permissions to list the taxonomy term). I'm using taxonomy_access.
Is this a feature or a bug?
I took a look at each of the modules to see if I can see how they were handling their queries, but my SQL is so rusty I might as well have been trying to program with punch cards.
Patrick
Comment | File | Size | Author |
---|---|---|---|
#6 | xtracker.module.patch.txt | 611 bytes | ednique |
#4 | xtracker.module.patch.0 | 551 bytes | pcdonohue |
Comments
Comment #1
bradlis7 CreditAttribution: bradlis7 commentedI'm sure it's a bug, because if a user doesn't have access to a node, they shouldn't even know that the node exists.
Comment #2
funana CreditAttribution: funana commentedSame in CVS. It shows all nodetypes even if the user shouldnt have access.
Comment #3
Christefano-oldaccount CreditAttribution: Christefano-oldaccount commentedI'm looking forward to this being fixed.
Comment #4
pcdonohue CreditAttribution: pcdonohue commentedAll right,
I don't use this module anymore, but since I posted the original issue I thought I'd take a look at it again and post a fix. The included patch is against the below version.
// $Id: xtracker.module,v 1.5 2006/05/16 17:01:42 wafaa Exp $
I updated the xtracker_page function's main loop with a call to node_access for each node returned from the funtion's db query.
So if the user doesn't have access privileges to view the node it skips the node while building the list of recent posts.
This seems to do the trick, but test it on your own and see if it works.
Patrick
Comment #5
Christefano-oldaccount CreditAttribution: Christefano-oldaccount commentedTabs for content types unavailable to users are still shown, but at long last the posts themselves are hidden. Thanks, pcdonohue!
Comment #6
ednique CreditAttribution: ednique commentedHere's the taxonomy access fix...
It is rather simple...
I've used it on several modules...
Use db_rewrite_sql() and the security sql is added to the query in case it is needed...