When viewing question items in a list (using _quiz_get_questions()) the question bodies show up as "n/a" when the user doesn't have access to the input format of the question item.
This is because in quiz_node_map(), the question body is run through check_markup() and it's missing the FALSE argument to suppress the check. The user's access to the input format shouldn't be checked on view.
Sivaji, I said I wouldn't commit to 4.x before the GSoC release without making a ticket and getting your okay. I think this is worth committing.
$new_question->question = check_markup($node->body, $node->format, FALSE);
Comment | File | Size | Author |
---|---|---|---|
#8 | 534716-no-access-check-for-filters.patch | 5.46 KB | Dmitriy.trt |
Comments
Comment #1
turadg CreditAttribution: turadg commentedSearching for "check_markup" throughout the "quiz" directory, I see this bug is pretty sprinkled all over. We should do an audit and agree on when the markup needs TRUE as an arg and when FALSE.
Comment #2
falcon CreditAttribution: falcon commentedI've changed scale and choice accoring to our discussion on IRC yesterday. (The third parameter for check_markup has beed set to FALSE).
Comment #3
turadg CreditAttribution: turadg commentedI searched through the code for all calls to check_markup() and added ", FALSE" where appropriate.
For readability, we might consider a helper function make_markup() that calls check_markup with the FALSE argument.
Btw, apparently this issue pops up again and again:
http://drupal.org/node/371730
http://drupal.org/node/363281
Comment #5
Jim Kirkpatrick CreditAttribution: Jim Kirkpatrick commentedThis bug has not been fixed -- there are some check_markup() without FALSE in the modules with 4.3...
See: the call at line 447 in getAnsweringForm() in quiz_question.core.inc for starters.
Comment #6
Jim Kirkpatrick CreditAttribution: Jim Kirkpatrick commented(thought it was just multi-choice but it's core)
Comment #7
borgewarvik CreditAttribution: borgewarvik commentedThis is also found in QuizQuestion->getAnsweringForm()
Line 448 from:
to
Marking this as critical. This is a bug that needs to be fixed. We get a lot of support requests for this issue.
Comment #8
Dmitriy.trt CreditAttribution: Dmitriy.trt commentedHere is a patch to disable access check for all
check_markup()
calls with non-default filters (default filter available to all users).Comment #9
matdab CreditAttribution: matdab commentedsubscribing
Comment #10
nvucic CreditAttribution: nvucic commentedStill having this problem, I've applied the patch from #8. It works temporarily, but doesn't save permanently.
Comment #11
falcon CreditAttribution: falcon commentedThanks!