I just upgraded both Module Grants and Revisioning to 6.x-3.3 versions, and after doing so SQL errors appeared for users other than uid=1 on custom views of existing content. I commented out module_grants_db_rewrite_sql and the errors disappeared, so narrowed it down to _module_grants_node_access_where_sql and assuming uid=1 doesn't get the error because of 'administer nodes' access. I'm afraid my sql is a bit rubbish, any help would be much appreciated.
Errors are:
user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND re' at line 4 query: SELECT COUNT(*) FROM (SELECT node.nid AS nid FROM node node LEFT JOIN node_revisions node_revisions ON node.vid = node_revisions.vid INNER JOIN node_access na ON na.nid = node.nid WHERE (na.grant_view >= 1 AND ((na.gid = 0 AND na.realm = 'all') OR (na.gid = 1 AND na.realm = 'workflow_access') OR (na.gid = 0 AND na.realm = 'workflow_access_owner') OR (na.gid = 0 AND na.realm = 'og_public'))) AND (((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ()) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND realm IN ('workflow_access','workflow_access_owner')) = 0 OR (SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ((gid=1 AND realm='workflow_access') OR (gid=0 AND realm='workflow_access_owner'))) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND realm IN ('og_public')) = 0 OR (SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ((gid=0 AND realm='og_public'))) > 0)) AND ( (node.type in ('page')) AND (node.status <> 0 OR (node.uid = 0 AND 0 <> 0) OR 0 = 1) AND (node.nid = 200) )) count_alias in ... .../views/includes/view.inc on line 739.
and
user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND re' at line 11 query: SELECT node.nid AS nid, node.title AS node_title, node.uid AS node_uid, node.type AS node_type, node_revisions.format AS node_revisions_format, node_revisions.body AS node_revisions_body, node.sticky AS node_sticky, node.created AS node_created FROM node node LEFT JOIN node_revisions node_revisions ON node.vid = node_revisions.vid INNER JOIN node_access na ON na.nid = node.nid WHERE (na.grant_view >= 1 AND ((na.gid = 0 AND na.realm = 'all') OR (na.gid = 1 AND na.realm = 'workflow_access') OR (na.gid = 0 AND na.realm = 'workflow_access_owner') OR (na.gid = 0 AND na.realm = 'og_public'))) AND (((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ()) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND realm IN ('workflow_access','workflow_access_owner')) = 0 OR (SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ((gid=1 AND realm='workflow_access') OR (gid=0 AND realm='workflow_access_owner'))) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND realm IN ('og_public')) = 0 OR (SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ((gid=0 AND realm='og_public'))) > 0)) AND ( (node.type in ('page')) AND (node.status <> 0 OR (node.uid = 0 AND 0 <> 0) OR 0 = 1) AND (node.nid = 200) )ORDER BY node_sticky DESC, node_created DESC LIMIT 0, 10 in ... .../views/includes/view.inc on line 765.
Comments
Comment #1
RdeBoerThanks for reporting nurofen... this needs to be sorted soon. Will look into it.
Comment #2
Anonymous (not verified) CreditAttribution: Anonymous commentedI said my SQL is rubbish but I should have noticed the "AND ()" that was a fairly obvious culprit.
Comment #3
Anonymous (not verified) CreditAttribution: Anonymous commentedMy bad for overriding your issue settings changes... simultaneous posting.
Comment #4
Anonymous (not verified) CreditAttribution: Anonymous commentedTracking the empty AND looks like it's module_grants.module line 608:
$grants[] = "(". $lenient_subquery ."(SELECT COUNT(1) FROM {node_access} nasq WHERE na.nid=nasq.nid AND ($module_grants)) > 0)";
$module_grants var is perhaps empty? On line 604 there is an if statement: if (!empty($module_grants)) but this is closed before line 608:
600: foreach ($all_grants as $module => $module_grants) {
601: $lenient_subquery = '';
602: if (variable_get('module_grants_lenient', TRUE)) {
603: $module_realms = array_keys(module_invoke($module, 'node_grants', $account, $op));
604: if (!empty($module_grants)) {
605: $lenient_subquery = "(SELECT COUNT(1) FROM {node_access} nasq WHERE $node_access_alias.nid=nasq.nid AND realm IN ('". implode("','", $module_realms) ."')) = 0 OR ";
606: }
607: }
608: $grants[] = "(". $lenient_subquery ."(SELECT COUNT(1) FROM {node_access} nasq WHERE na.nid=nasq.nid AND ($module_grants)) > 0)";
609: }
Comment #5
Anonymous (not verified) CreditAttribution: Anonymous commentedWould replacing line 608 with the following fix it?
$module_grants_subquery = '';
if (!empty($module_grants)) {
$module_grants_subquery = "(SELECT COUNT(1) FROM {node_access} nasq WHERE na.nid=nasq.nid AND ($module_grants)) > 0";
}
if (!empty($lenient_subquery) || !empty($module_grants_subquery)) {
$grants[] = "(". $lenient_subquery .$module_grants_subquery .")";
}
Comment #6
RdeBoerHmm... something like that perhaps....
First, that test for
!empty($module_grants)
should be!empty($module_realms)
.Second, it worries me that $module_grants appears to be empty, thus producing the erroneous SQL with the empty "AND ()", because that means that one of your modules hasn't produced the appropriate entries in the node_access table. Are you using Organic Groups by any chance? If so, let us know what happens if you disable it.
Also, on the Site configuration >> Module Grants config page do you have the first check box ticked (default) or have you got "lenient" switched off?
Comment #7
Anonymous (not verified) CreditAttribution: Anonymous commentedIn Site configruation >> Module Grants config page: Interpret absence of access grants as a "don't care", rather than a "deny access". is ticked.
Yes using OG and OG Access, but node getting error on is not a Group Post. For good measure unchecked all OG modules rebuilt perms. Still get empty 'AND' SQL error.
FYI also using Workflow and Workflow Access, if it helps for the node in question:
I also unchecked Workflow and Workflow Access and rebuilt permissions, but still get the error.
Comment #8
Anonymous (not verified) CreditAttribution: Anonymous commenteddpm($module_grants) I get the following:
Comment #9
Anonymous (not verified) CreditAttribution: Anonymous commentedEmpty culprit is coherent access module: http://drupal.org/project/coherent_access
Comment #10
Anonymous (not verified) CreditAttribution: Anonymous commentedFunnily enough after all that messing about I'm now getting another error:
Missing something after ('coherent_access')) = 0 OR ?????.
Comment #11
Anonymous (not verified) CreditAttribution: Anonymous commentedAh... that is because I changed line 604 to if (!empty($module_realms)) { so its now actually writing the lenient subquery, but then missing the module_grants bit because that's empty for coherent access.
Comment #12
RdeBoerThanks for all your analysis nurofen...
Still why does the Coherent Access module feel it has to produce an empty subquery...?
I'll download it in a minute... but also suggest this piece of defensive coding:
In function
_grants_by_module(..)
around line #688 changeto
That may solve it. Will test.
Comment #13
RdeBoerI have a setup with Workflow (Access) and Coherent Access both enabled.
I also created a View of my content.
All the grants are created and queried correctly. I don't get empty $module_grants.
I have logged in as uid=1 as wells as users that don't have "administer nodes".
I can't even get close to reproducing the errors and empty variables that you get.
Comment #14
RdeBoerWould it be an idea to disable (perhaps even uninstall) most modules, except for Module Grants (6.x-3.3) and run http://localhost/<your_site>/update.php ?
Then add Revisioning (6.x-3.3) and see if you're still getting the same issues.
Then one by one add Views, Workflow, Coherent Access and other modules, checking in between if all is still ok.
That should isolate the issue.
Comment #15
RdeBoerAfter private comms with nurofen, I installed her site in my development environment.
I can confirm that the one-line fix described above in #12 gets rid of the error.
The culprit is the Conherent Access module, which generates an empty gids array for its realm. The above fix is to ignore these empty gids when producing the View SQL.
Will be included in next official release.