When viewing question items in a list (using _quiz_get_questions()) the question bodies show up as "n/a" when the user doesn't have access to the input format of the question item.

This is because in quiz_node_map(), the question body is run through check_markup() and it's missing the FALSE argument to suppress the check. The user's access to the input format shouldn't be checked on view.

Sivaji, I said I wouldn't commit to 4.x before the GSoC release without making a ticket and getting your okay. I think this is worth committing.

$new_question->question = check_markup($node->body, $node->format, FALSE);

CommentFileSizeAuthor
#8 534716-no-access-check-for-filters.patch5.46 KBDmitriy.trt
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

turadg’s picture

turadg CreditAttribution: turadg commented

Searching for "check_markup" throughout the "quiz" directory, I see this bug is pretty sprinkled all over. We should do an audit and agree on when the markup needs TRUE as an arg and when FALSE.

falcon’s picture

falcon CreditAttribution: falcon commented

I've changed scale and choice accoring to our discussion on IRC yesterday. (The third parameter for check_markup has beed set to FALSE).

turadg’s picture

turadg CreditAttribution: turadg commented
Status: Active » Fixed

I searched through the code for all calls to check_markup() and added ", FALSE" where appropriate.

For readability, we might consider a helper function make_markup() that calls check_markup with the FALSE argument.

Btw, apparently this issue pops up again and again:
http://drupal.org/node/371730
http://drupal.org/node/363281

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Jim Kirkpatrick’s picture

Jim Kirkpatrick CreditAttribution: Jim Kirkpatrick commented
Version: 6.x-4.x-dev » 6.x-4.3
Component: Code - Quiz module » Code - Multichoice
Status: Closed (fixed) » Active

This bug has not been fixed -- there are some check_markup() without FALSE in the modules with 4.3...

See: the call at line 447 in getAnsweringForm() in quiz_question.core.inc for starters.

Jim Kirkpatrick’s picture

Jim Kirkpatrick CreditAttribution: Jim Kirkpatrick commented
Component: Code - Multichoice » Code - Quiz core

(thought it was just multi-choice but it's core)

borgewarvik’s picture

borgewarvik CreditAttribution: borgewarvik commented
Priority: Normal » Critical
Status: Active » Needs work

This is also found in QuizQuestion->getAnsweringForm()

Line 448 from:

    $form['question'] = array(
      '#type' => 'markup',
      '#value' => check_markup($this->node->body, $this->node->format),
      '#prefix' => '<div class="quiz-question-body">',
      '#suffix' => '</div>',
    );

to

    $form['question'] = array(
      '#type' => 'markup',
      '#value' => check_markup($this->node->body, $this->node->format, FALSE),
      '#prefix' => '<div class="quiz-question-body">',
      '#suffix' => '</div>',
    );

Marking this as critical. This is a bug that needs to be fixed. We get a lot of support requests for this issue.

Dmitriy.trt’s picture

Dmitriy.trt CreditAttribution: Dmitriy.trt commented
Status: Needs work » Needs review
FileSize
534716-no-access-check-for-filters.patch5.46 KB

Here is a patch to disable access check for all check_markup() calls with non-default filters (default filter available to all users).

matdab’s picture

matdab CreditAttribution: matdab commented

subscribing

nvucic’s picture

nvucic CreditAttribution: nvucic commented

Still having this problem, I've applied the patch from #8. It works temporarily, but doesn't save permanently.

falcon’s picture

falcon CreditAttribution: falcon commented
Status: Needs review » Closed (fixed)

Thanks!

  • Commit 66154c1 on 7.x-4.x, 7.x-5.x authored by falcon, committed by paalj: 
    Fix #534716 by Dmitry.trt: No access check for filters

  • Commit 66154c1 on 7.x-4.x, 7.x-5.x, quiz-pages authored by falcon, committed by paalj: 
    Fix #534716 by Dmitry.trt: No access check for filters

  • Commit 66154c1 on 7.x-4.x, 7.x-5.x, quiz-pages, 2269219 authored by falcon, committed by paalj: 
    Fix #534716 by Dmitry.trt: No access check for filters

  • Commit 66154c1 on 7.x-4.x, 7.x-5.x, 2269219 authored by falcon, committed by paalj: 
    Fix #534716 by Dmitry.trt: No access check for filters