Domain access grants update and delete permissions for all domain_id realms in the node_access table [#621290]

When building node access records, domain access grants update and delete permissions to all domain_id entries.

Oddly, these permissions are not actually applied to all users who have access to the record...

According to the Node access rights docs, if any one record grants access, than the user can perform it. This being the case, any user should be able to edit or delete any node due to the access grants.
Obviously, this doesn't happen.

At any rate, modules that can only rely on the node access table for access permissions (such as views) will think that anyone has all grants for all domains, so this really should be fixed.

The solution is to change the two domain_id grants to only grant view, and not update or delete. The grant arrays are at 1358 and 1374.

<?php
  // Set the domain-specific grants.
  if (!empty($node->domains)) {
    foreach ($node->domains as $key => $value) {
      // We can't use a 0 value in an $options list, so convert -1 to 0.
      if (abs($value) > 0) {
        ($key == -1) ? $key = 0 : $key = $key;
        $grants[] = array(
          'realm' => 'domain_id',
          'gid' => $key,
          'grant_view' => TRUE,
          'grant_update' => FALSE,     //Changed
          'grant_delete' => FALSE,      //Changed
          'priority' => 0,
        );
      }
    }
  }
?>

<?php
  // At least one option must be present, and it is the default site
  // this prevents null values in the form.
  // If we are enabling the module for the first time, we set the
  // default domain of all existing nodes to the root domain.
  else {
    $grants[] = array(
    'realm' => 'domain_id',
    'gid' => 0,
    'grant_view' => TRUE,
    'grant_update' => FALSE,      //Changed
    'grant_delete' => FALSE,       //Changed
    'priority' => 0,
    );
  }
?>

I have yet to find the reason this doesn't affect node access, some other module must be denying access explicitly.

The issue that spawned this: #620392: Allow edit and delete access check in "Node Access: Access" filter

Comments

Comment #1

agentrickard

he/him

English

Georgia (US)

CreditAttribution: agentrickard commented 2 November 2009 at 19:50

Status:

Active

» Closed (works as designed)

Nope. Node Access is a two-part system. hook_node_access_records() writes the records to the database. hook_node_grants() enforces the logic. IMO, the documentation is misleading.

We had it the way you suggest in D5, but it is faster and less storage to do it this way.

See domain_node_grants().

Comment #2

mdeltito CreditAttribution: mdeltito commented 6 January 2010 at 18:14

along the same lines, I'm having an issue where anonymous users should NOT have access to a certain node, but they are granted view access regardless due to entries with the domain_id realm.

this is the sql generated by the drupal node_access function:

SELECT count(*) 
FROM node_access 
WHERE (nid = 0 OR nid = 2156) AND (
    (gid = 0 AND realm = 'all') 
    OR (gid = 1 AND realm = 'workflow_access') 
    OR (gid = 0 AND realm = 'workflow_access_owner') 
    OR (gid = 0 AND realm = 'domain_site') 
    OR (gid = 0 AND realm = 'domain_id')
    ) AND grant_view >= 1

which returns 1, and thus grants access

It seems there would have to be a way to explicitly deny access to get around this problem, unless I'm missing something