I was having trouble accessing nodes inside the nodequeue and it led me to discover that, from what I'm seeing right now, the access check for nodes is wrong. If the user doesn't have "administer nodes" permission, you forcefully restrict all unpublished nodes. There are many conditions and variables involved in node access; even with unpublished nodes.
Here's the query that's being ran:
SELECT DISTINCT n.nid AS nid
FROM
{node} n
LEFT OUTER JOIN {nodequeue_nodes} nq ON nq.nid = n.nid
WHERE (nq.sqid = :db_condition_placeholder_0) AND( (n.status = :db_condition_placeholder_1) OR (n.uid = :db_condition_placeholder_2) )
ORDER BY nq.position ASC
I don't see any joins on the node_access table.
For instance, I'm using Workbench Moderation, and certain roles are able to see unpublished nodes so they can moderate them. When they view the node queue, the node titles are excluded, but the other action links are there.
Perhaps a call to node_access() should be used for each node?
Comment | File | Size | Author |
---|---|---|---|
#12 | nodequeue-proper_node_access_check-1871816-12.patch | 2.2 KB | mstef |
#6 | nodequeue-proper_node_access_check-1871816-6.patch | 2.2 KB | mstef |
#1 | nodequeue-proper_node_access_check-1871816.patch | 2.19 KB | mstef |
Comments
Comment #1
mstef CreditAttribution: mstef commentedHow's this?
Comment #2
ezra-g CreditAttribution: ezra-g commentedWhy not just remove:
Comment #3
mstef CreditAttribution: mstef commentedThen you miss out on all this good (/important) stuff:
http://api.drupal.org/api/drupal/modules%21node%21node.module/function/n...
Comment #4
mstef CreditAttribution: mstef commentedLooking at that query, I don't see any "access"-checking other than the published filter.
Comment #5
mstef CreditAttribution: mstef commentedAh shoot.. screwed up that patch..new one coming
Comment #6
mstef CreditAttribution: mstef commentedHere
Comment #7
mstef CreditAttribution: mstef commentedI'm starting to think this may even be a security issue..
Comment #9
ezra-g CreditAttribution: ezra-g commentedThat's what
is for.
In general, if you suspect you've found a security issue, please follow the process for reporting a security issue.
Comment #10
mstef CreditAttribution: mstef commentedI saw the addTag but after printing the query, nothing for node access is added. Also, it's not doing what it is suppose to do, which is why I opened this issue.
Comment #11
mstef CreditAttribution: mstef commentedOdd reason the test failed. Lets try again.
Comment #12
mstef CreditAttribution: mstef commentedSame patch as #6, for another run at the tests.
Comment #14
fizk CreditAttribution: fizk commentedCommitted, thanks!