node_query_node_access_alter assumes $op, assumes $user, and will only work if alias is "n"

Looks like we are on the same page, but what happens if I have multiple node joins in the same query -- how can I make sure they are all altered?

In D6, I would use _db_rewrite_sql() for each piece as I joined it, but...

Here's a patch that at least should work for a single join, not hard-wiring the "n" table alias. Let's see what the testbot thinks. And reviewers.

So... If you have multiple joins, it doesn't look like this will work. It would need to find all of the node table aliases, and join a new node_access for each one. If you use sub-query joins, the query alter still only gets run once, in the preExecute step, so it would only be altering the outer query.

That's probably a problem anyway -- if you use db_select() to define a query involving node that needs node_access, and then you tag that query with node_access, it will not trigger hook_query_node_access_alter() to get run, because only the outer query is altered.

From IRC/Crell:
What about grabbing the table data out of the query, searching it for all node entries, and doing an appropriate join for each of them?
That would then hard-code that hook to filter any instance of the node table, whatever its alias.

My response: Yes, good idea.

Here's a patch that will add node access to all instances of the node table in the query.

At least, I think it should.

Ah, thanks!

I don't think I'd want it by reference, because it would be changed as we march through the tables and do ->join() on the $query object.

Here's a new patch. Hopefully the test bot will wake up and test this one sometime.

There is an error in the above patch:
foreach ($query->tables

should be
foreach($tables

I am testing this patch and will post another one when I get it working...

Here's a new patch. It appears to work, in my tests of the 7.x version of Search by Page (drupal.org/project/search_by_page HEAD), which rely on this functionality working (i.e. being able to join on node with aliases other than "n" and having node access applied).

Maybe the test bot will be working one of these days?

Do we need a test before the patch can be committed at all?

Also, what's your philosophy on tests -- I mean, should we test node access, or just test that this specific function works on a made-up query and does the right join?

This bug will make a test crash with an exception, not return more nodes -- because the node access query alter will be trying to join to a table alias of "n" that doesn't exist.

Anyway, I can certainly devise a test in a few lines, and will do so later today when I wake up fully. :)

Will do, thanks for the suggestion.

OK. Here's a patch with a test, including a new test class.

I have verified that the above patch in #12 on node.module takes the test from failing to passing.

So this patch includes both the test and the patch for node.module from #12.

I guess I can take the "needs tests" tag off now?

I dont' need the value of $node. Guess I shouldn't have saved the return value of drupalCreateNode().

Here's a version without saving $node, since it isn't used.

I did try to do a unit test...

There would have to be more overhaul of http://api.drupal.org/api/function/node_query_node_access_alter/7 for that to work. There are several calls to things that implicitly assume global $user in that function, such as user_access('bypass node access')

Maybe that is a bug in the query alter function, but I'm not sure, since that tag is not particularly documented that I could find, so I wasn't sure about that $account metadata.

Just to be clear: If you run the query in #25, that test will fail because the query will not be altered, because the DrupalWebTestCase leaves the $user as user-1, and that user can bypass all node access checks.

ADDED LATER: I think that is a separate issue about the node_query_node_access_alter, that it implicitly relies on global $user and doesn't fully use the metadata $account. So maybe we should address it on a separate issue report?

Another separate issue with this function is that it implicitly assumes 'op' = 'view' at the top, where it bypasses everything

if (!node_access_view_all_nodes()

If you look at that function, it only checks whether some module(s) are providing grants having to do with view permission, so if the only custom perms are edit/delete, then the whole query alter is bypassed.

So the whole idea of the metadata fields for op and account were not built correctly into this function. But again, I think it's a totally separate issue (or perhaps two) from the issue reported here, which is that the table alias should not be assumed to be "n".

We can't do the test at the low level proposed above with these two issues lingering...

OK, I'm going to work up another patch that fixes these issues together:
- Need to be able to specify $account
- Need to be able to specify $op
- Need to be able to alias with other than "n".

And have some more tests, more low-level.

OK, here it is.

A better-working function, and more tests. This fixes
- Need to be able to specify $account
- Need to be able to specify $op
- Need to be able to alias with other than "n".

And I added to the doc header about those meta data options.

I also reverted just the node.module part of the patch to what's currently committed to D7 HEAD, and the following tests failed:
- Database exceptions when viewing the pages in the browser in testNodeQueryAlterWithUI()
- Using the low-level queries in testNodeQueryAlterLowLevel(), there was no access blocking for the no-access user or the 'update' permission check (both of them could see everything, and the queries weren't altered).

So. Hopefully this will pass muster. :)

I'll request a retest just in case, and if it still fails "Node RSS Content (NodeRSSContentTestCase)", I'll look into it. I do not think this fix would cause that failure...

#30: 701744fixmore.patch queued for re-testing.

This looks like an actual test failure. Investigating.

Grrrrrr.

The problem is that the node_test.module removes all access grants in its node_test_node_grants_alter(), thereby denying all users access to any content that is queried with the 'node_access' tag. So now that the node_access query alter is actually doing what it is supposed to, it is denying access to view content at rss.xml.

Sigh.

I'm going to have to split the test class.

Or better yet, just give 'bypass node access' permissions to the RSS test. :)

Here's a new patch. All of the node tests pass now. Let's see what the test bot thinks...

Do you think we should put a note in the node_test class so that no one else gets bitten by the fact that it actually removes all node access grants, or just leave it?

Actually, I think that maybe we need a separate issue for that, because it's sort of implied that that module is used to test node access, but it would never work correctly, and it references a test that doesn't exist.

I filed #710606: Node access tests are incomplete

cha0s: That change is fine to make, and does correctly reflect the logic.

Will do (split tests up), thanks for the review.

Regarding parens and instanceof - I'll put them in, since they also add clarity and will not detract from the code in any way. My philosophy is that if I (or someone else) has to think about precidence, e.g. because a little-used operator is being used, then probably parens are a good idea just to save time when looking at the code down the road.

Here's a new patch that splits up the tests and adds parens to the instanceof if clause. And incidentally the issue was not about && but about ! for the parens. Clearer with them, IMO, thanks cha0s.

FYI, the reason I didn't split up the tests before is that I've noticed that the setup functions are run again for each test method, so it definitely makes it so the tests take longer to run when splitting up, but obviously I haven't contributed too many core test patches... Anyway, I'm glad to know about the convention and adhere to it (big on standards).