I just upgraded both Module Grants and Revisioning to 6.x-3.3 versions, and after doing so SQL errors appeared for users other than uid=1 on custom views of existing content. I commented out module_grants_db_rewrite_sql and the errors disappeared, so narrowed it down to _module_grants_node_access_where_sql and assuming uid=1 doesn't get the error because of 'administer nodes' access. I'm afraid my sql is a bit rubbish, any help would be much appreciated.

Errors are:

user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND re' at line 4 query: SELECT COUNT(*) FROM (SELECT node.nid AS nid FROM node node LEFT JOIN node_revisions node_revisions ON node.vid = node_revisions.vid INNER JOIN node_access na ON na.nid = node.nid WHERE (na.grant_view >= 1 AND ((na.gid = 0 AND na.realm = 'all') OR (na.gid = 1 AND na.realm = 'workflow_access') OR (na.gid = 0 AND na.realm = 'workflow_access_owner') OR (na.gid = 0 AND na.realm = 'og_public'))) AND (((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ()) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND realm IN ('workflow_access','workflow_access_owner')) = 0 OR (SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ((gid=1 AND realm='workflow_access') OR (gid=0 AND realm='workflow_access_owner'))) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND realm IN ('og_public')) = 0 OR (SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ((gid=0 AND realm='og_public'))) > 0)) AND ( (node.type in ('page')) AND (node.status <> 0 OR (node.uid = 0 AND 0 <> 0) OR 0 = 1) AND (node.nid = 200) )) count_alias in ... .../views/includes/view.inc on line 739.

and

user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND re' at line 11 query: SELECT node.nid AS nid, node.title AS node_title, node.uid AS node_uid, node.type AS node_type, node_revisions.format AS node_revisions_format, node_revisions.body AS node_revisions_body, node.sticky AS node_sticky, node.created AS node_created FROM node node LEFT JOIN node_revisions node_revisions ON node.vid = node_revisions.vid INNER JOIN node_access na ON na.nid = node.nid WHERE (na.grant_view >= 1 AND ((na.gid = 0 AND na.realm = 'all') OR (na.gid = 1 AND na.realm = 'workflow_access') OR (na.gid = 0 AND na.realm = 'workflow_access_owner') OR (na.gid = 0 AND na.realm = 'og_public'))) AND (((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ()) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND realm IN ('workflow_access','workflow_access_owner')) = 0 OR (SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ((gid=1 AND realm='workflow_access') OR (gid=0 AND realm='workflow_access_owner'))) > 0) AND ((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND realm IN ('og_public')) = 0 OR (SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND ((gid=0 AND realm='og_public'))) > 0)) AND ( (node.type in ('page')) AND (node.status <> 0 OR (node.uid = 0 AND 0 <> 0) OR 0 = 1) AND (node.nid = 200) )ORDER BY node_sticky DESC, node_created DESC LIMIT 0, 10 in ... .../views/includes/view.inc on line 765.

Comments

RdeBoer’s picture

RdeBoer
Location Melbourne
CreditAttribution: RdeBoer commented
Assigned: Unassigned » RdeBoer
Status: Active » Needs work

Thanks for reporting nurofen... this needs to be sorted soon. Will look into it.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Assigned: RdeBoer » Unassigned
Status: Needs work » Active

I said my SQL is rubbish but I should have noticed the "AND ()" that was a fairly obvious culprit.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Active » Needs work

My bad for overriding your issue settings changes... simultaneous posting.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Tracking the empty AND looks like it's module_grants.module line 608:

$grants[] = "(". $lenient_subquery ."(SELECT COUNT(1) FROM {node_access} nasq WHERE na.nid=nasq.nid AND ($module_grants)) > 0)";

$module_grants var is perhaps empty? On line 604 there is an if statement: if (!empty($module_grants)) but this is closed before line 608:

600: foreach ($all_grants as $module => $module_grants) {
601: $lenient_subquery = '';
602: if (variable_get('module_grants_lenient', TRUE)) {
603: $module_realms = array_keys(module_invoke($module, 'node_grants', $account, $op));
604: if (!empty($module_grants)) {
605: $lenient_subquery = "(SELECT COUNT(1) FROM {node_access} nasq WHERE $node_access_alias.nid=nasq.nid AND realm IN ('". implode("','", $module_realms) ."')) = 0 OR ";
606: }
607: }
608: $grants[] = "(". $lenient_subquery ."(SELECT COUNT(1) FROM {node_access} nasq WHERE na.nid=nasq.nid AND ($module_grants)) > 0)";
609: }

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Would replacing line 608 with the following fix it?

$module_grants_subquery = '';
if (!empty($module_grants)) {
$module_grants_subquery = "(SELECT COUNT(1) FROM {node_access} nasq WHERE na.nid=nasq.nid AND ($module_grants)) > 0";
}
if (!empty($lenient_subquery) || !empty($module_grants_subquery)) {
$grants[] = "(". $lenient_subquery .$module_grants_subquery .")";
}

RdeBoer’s picture

RdeBoer
Location Melbourne
CreditAttribution: RdeBoer commented

Hmm... something like that perhaps....

First, that test for !empty($module_grants) should be !empty($module_realms).

Second, it worries me that $module_grants appears to be empty, thus producing the erroneous SQL with the empty "AND ()", because that means that one of your modules hasn't produced the appropriate entries in the node_access table. Are you using Organic Groups by any chance? If so, let us know what happens if you disable it.

Also, on the Site configuration >> Module Grants config page do you have the first check box ticked (default) or have you got "lenient" switched off?

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

In Site configruation >> Module Grants config page: Interpret absence of access grants as a "don't care", rather than a "deny access". is ticked.

Yes using OG and OG Access, but node getting error on is not a Group Post. For good measure unchecked all OG modules rebuilt perms. Still get empty 'AND' SQL error.

FYI also using Workflow and Workflow Access, if it helps for the node in question:

node_access entries for nodes shown on this page								
node	prio	status	realm	gid	view	update	delete	explained
200	– 	ok	workflow_access	1	1	0	0	
200	– 	ok	workflow_access	2	1′	0	0	
200	– 	empty	workflow_access	3	0	0	0	
200	– 	empty	workflow_access	4	0	0	0	
200	– 	empty	workflow_access	5	0	0	0	
200	– 	empty	workflow_access	6	0	0	0	
200	– 	empty	workflow_access	7	0	0	0	
200	– 	empty	workflow_access	8	0	0	0	
200	– 	empty	workflow_access	9	0	0	0	
200	– 	empty	workflow_access	10	0	0	0	
200	– 	empty	workflow_access	11	0	0	0	
200	– 	empty	workflow_access_owner	1	0	0	0

I also unchecked Workflow and Workflow Access and rebuilt permissions, but still get the error.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

dpm($module_grants) I get the following:

*
* (gid=2 AND realm='workflow_access') OR (gid=3 AND realm='workflow_access_owner')
* (gid=0 AND realm='og_public')
*
* (gid=2 AND realm='workflow_access') OR (gid=3 AND realm='workflow_access_owner')
* (gid=0 AND realm='og_public')
* 
* (gid=2 AND realm='workflow_access') OR (gid=3 AND realm='workflow_access_owner')
* (gid=0 AND realm='og_public')
* 
* (gid=2 AND realm='workflow_access') OR (gid=3 AND realm='workflow_access_owner')
* (gid=0 AND realm='og_public')
*
* (gid=2 AND realm='workflow_access') OR (gid=3 AND realm='workflow_access_owner')
* (gid=0 AND realm='og_public')
*
* (gid=2 AND realm='workflow_access') OR (gid=3 AND realm='workflow_access_owner')
* (gid=0 AND realm='og_public')
Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Empty culprit is coherent access module: http://drupal.org/project/coherent_access

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Funnily enough after all that messing about I'm now getting another error:

....(((SELECT COUNT(1) FROM node_access nasq WHERE na.nid=nasq.nid AND realm IN ('coherent_access')) = 0 OR ) AND ((SELECT COUNT(1)....

Missing something after ('coherent_access')) = 0 OR ?????.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Ah... that is because I changed line 604 to if (!empty($module_realms)) { so its now actually writing the lenient subquery, but then missing the module_grants bit because that's empty for coherent access.

RdeBoer’s picture

RdeBoer
Location Melbourne
CreditAttribution: RdeBoer commented

Thanks for all your analysis nurofen...
Still why does the Coherent Access module feel it has to produce an empty subquery...?
I'll download it in a minute... but also suggest this piece of defensive coding:
In function _grants_by_module(..) around line #688 change

      // Within a module OR the gid/realm combinations together
      $all_grants[$module] = implode(' OR ', $module_gids);

to

      // Within a module OR the gid/realm combinations together
      if (!empty($module_gids)) {
        $all_grants[$module] = implode(' OR ', $module_gids);
      }

That may solve it. Will test.

RdeBoer’s picture

RdeBoer
Location Melbourne
CreditAttribution: RdeBoer commented

I have a setup with Workflow (Access) and Coherent Access both enabled.
I also created a View of my content.
All the grants are created and queried correctly. I don't get empty $module_grants.
I have logged in as uid=1 as wells as users that don't have "administer nodes".
I can't even get close to reproducing the errors and empty variables that you get.

RdeBoer’s picture

RdeBoer
Location Melbourne
CreditAttribution: RdeBoer commented

Would it be an idea to disable (perhaps even uninstall) most modules, except for Module Grants (6.x-3.3) and run http://localhost/<your_site>/update.php ?
Then add Revisioning (6.x-3.3) and see if you're still getting the same issues.
Then one by one add Views, Workflow, Coherent Access and other modules, checking in between if all is still ok.
That should isolate the issue.

RdeBoer’s picture

RdeBoer
Location Melbourne
CreditAttribution: RdeBoer commented
Title: SQL errors from views/includes/view.inc on lines 739 and 765 after upgrading Module Grants and Revisioning » SQL errors after upgrading Module Grants when also using Views and Coherent Access
Assigned: Unassigned » RdeBoer
Status: Needs work » Fixed

After private comms with nurofen, I installed her site in my development environment.
I can confirm that the one-line fix described above in #12 gets rid of the error.
The culprit is the Conherent Access module, which generates an empty gids array for its realm. The above fix is to ignore these empty gids when producing the View SQL.

Will be included in next official release.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.