When hook_node_access is invoked by other modules (e.g. xmlsitemap module), they pass the user for which the access is checked in the $account variable. But nodeaccess_node_access(), if the node is unpublished, user_access is invoked without passing the $account as parameter, thus checking access for the logged in user. This results in returning NODE_ACCESS_ALLOW for anonymous users which is wrong.

Comments

mmrares created an issue. See original summary.

mmrares’s picture

alison’s picture

Does not apply cleanly, I think bc of the extra spaces -- but the "twin" patch on #2979618: Wrong user_access in hook_node_access applies cleanly.

alison’s picture

gamboz’s picture

Please note that the two patches apply to different versions of nodeaccess:
7.x-1.4 (2014) ↔ nodeaccess-wrong-user-access-check-2966820.patch
7.x-1.x-dev (2016) ↔ nodeaccess-fix_hook_node_access_for_another_account-2979618-6.patch

leducdubleuet’s picture

Status: Active » Needs review

Status: Needs review » Needs work

The last submitted patch, 2: nodeaccess-wrong-user-access-check-2966820.patch, failed testing. View results

leducdubleuet’s picture

Status: Needs work » Needs review
StatusFileSize
new863 bytes

I simply re-rolled the patch against current dev so the tests pass.

drumm’s picture

Status: Needs review » Fixed

Publishing since this was resolved by https://www.drupal.org/sa-contrib-2019-009

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.