the ajax callback for adding a node to a node queue you can administer didn't work due to an error in the access function controling that functionality.
smartqueue_og_queue_access() has been corrected in this patch.

Together with my previous patch, I got smartqueue_og all working. You might consider releasing your 6.x-1 version.

cheers,
TUc

CommentFileSizeAuthor
#2 402620.patch822 bytesezra-g
smartqueue_access.patch1004 bytesTUc

Comments

ezra-g’s picture

ezra-g commented
Title: callback doesn't work » Callbacks for adding/removing a node should be use nodequeue_node_and_subqueue_access
Project: Smartqueues for Organic Groups » Nodequeue
Version: 6.x-1.x-dev » 6.x-2.0
Priority: Critical » Normal
Status: Needs review » Active

Thanks for your attention here. Actually, I think this is a bug in Nodequeue.module. While your fix does in fact work, I believe it's not the proper place to change the permission checking.

"Manipulate all og nodequeues" is supposed to be used to control access to not only to manipulating og subqueues, but also for administering the queue that contains all og queues. The callback for the path admin/content/nodequeue/%nodequeue/add/%subqueue/%node (and the equivalent path for removing a node) should really call a "nodequeue_node_and_subqueue_access" function rather than the current "nodequeue_node_and_queue_access" since the smartqueue api allows users permission to manipulate a specific subqueue (such as an og or per-user subqueue) without being able to administer the whole queue.This should be a relatively straightforward fix.

Please note that this is not an access bypass or any kind of security issue, since if anything, this access check is overly restrictive.

ezra-g’s picture

ezra-g commented
Title: Callbacks for adding/removing a node should be use nodequeue_node_and_subqueue_access » nodequeue_queue_access should call subqueue_api_access first
StatusFileSize
new 402620.patch822 bytes

Actually, we don't need a new access checking function since nodequeue_queue_access accepts an optional subqueue parameter. This patch changes it so that subqueue_api access control is called and the result returned before queue access, so more granular access control is possible :D. Hooray, smartqueue API!

This is basically commitable, but I'll leave in the queue for testing for a little while.

ezra-g’s picture

ezra-g commented
Status: Active » Needs review
ezra-g’s picture

ezra-g commented
Status: Needs review » Fixed

This is applied.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.