Unlike the core tracker and tracker lite, Xtracker appears to list all nodes in its recent posts page, regardless of whether or not the user has permissions to list that node (no permissions to list the taxonomy term). I'm using taxonomy_access.

Is this a feature or a bug?

I took a look at each of the modules to see if I can see how they were handling their queries, but my SQL is so rusty I might as well have been trying to program with punch cards.

Patrick

CommentFileSizeAuthor
#6 xtracker.module.patch.txt611 bytesednique
#4 xtracker.module.patch.0551 bytespcdonohue
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

bradlis7’s picture

bradlis7 CreditAttribution: bradlis7 commented

I'm sure it's a bug, because if a user doesn't have access to a node, they shouldn't even know that the node exists.

funana’s picture

funana CreditAttribution: funana commented
Version: 4.6.x-1.x-dev » master

Same in CVS. It shows all nodetypes even if the user shouldnt have access.

Christefano-oldaccount’s picture

Christefano-oldaccount CreditAttribution: Christefano-oldaccount commented

I'm looking forward to this being fixed.

pcdonohue’s picture

pcdonohue CreditAttribution: pcdonohue commented
Status: Active » Needs review
FileSize
xtracker.module.patch.0551 bytes

All right,

I don't use this module anymore, but since I posted the original issue I thought I'd take a look at it again and post a fix. The included patch is against the below version.
// $Id: xtracker.module,v 1.5 2006/05/16 17:01:42 wafaa Exp $

I updated the xtracker_page function's main loop with a call to node_access for each node returned from the funtion's db query. 

  while ($node = db_fetch_object($result)) {
    // check user rights
	if (!node_access('view',node_load(array('nid' => $node->nid)))) {
		continue;
	}
	// Determine the number of comments:
       $comments = 0;
...

So if the user doesn't have access privileges to view the node it skips the node while building the list of recent posts.

This seems to do the trick, but test it on your own and see if it works.

Patrick

Christefano-oldaccount’s picture

Christefano-oldaccount CreditAttribution: Christefano-oldaccount commented

Tabs for content types unavailable to users are still shown, but at long last the posts themselves are hidden. Thanks, pcdonohue!

ednique’s picture

ednique CreditAttribution: ednique commented
FileSize
xtracker.module.patch.txt611 bytes

Here's the taxonomy access fix...
It is rather simple...
I've used it on several modules...

Use db_rewrite_sql() and the security sql is added to the query in case it is needed...