I'm not sure if this is a bug or if it's by design, but looking at the nodeapi hook for the path module as it is in 4.7.1:

  if (user_access('create url aliases') || user_access('administer url aliases')) {
    switch ($op) {
      // ... the validate case ...

      case 'load':
        $path = "node/$node->nid";
        // We don't use drupal_get_path_alias() to avoid custom rewrite functions.
        // We only care about exact aliases.
        $result = db_query("SELECT dst FROM {url_alias} WHERE src = '%s'", $path);
        if (db_num_rows($result)) {
          $node->path = db_result($result);
        }
        break;

     // ... other cases
  }

Why does one need create/admin access for the 'load' case to be called for our node?

Comments

smanes’s picture

smanes commented

Bump on this one. I don't see why 'load' should be privileged. You may want all users to have 'path' in their template namespace even though you don't want them to create paths.

This fix seems to work.

path,module (line 204):

function path_nodeapi(&$node, $op, $arg) {
  if (user_access('create url aliases') || user_access('administer url aliases') || $op == 'load') {
harking’s picture

harking commented
Priority: Minor » Normal
Status: Active » Needs review

I would say this needs to be looked at,

It is technically a security issue if you have to enable more privileges than you need to.

jonathan_hunt’s picture

jonathan_hunt commented

This patch works for me on 5.1. It would be good to see it committed for 6.x and backported to 5.2?

Mac Write’s picture

Mac Write commented

I tried adding this but get:

Parse error: syntax error, unexpected T_IF in /home/drupal/public_html/modules/path/path.module on line 214

Drupal 5.1.

beekerstudios’s picture

beekerstudios commented

I needed to be able to get the path for a custom views list, and couldn't pull the path out. I could see that as admin when doing a print_r($node) I could see the path but as anonymous I couldn't. By enabling this, it only displays the path and nothing else as far as I can tell. I can do a diff on the array, if need be. To me this doesn't seem like much a security issue. It seems like a necessary thing for custom views lists, stupid that it's not simpler.

beekerstudios’s picture

beekerstudios commented

P.S. Here was my issue with not having this working: http://drupal.org/node/156188.

myka’s picture

myka commented

Thanks!

That patch worked perfectly for me at http://www.twobitnews.com.

most of it is already there at line 205, just add the " || $op == 'load' " part

robloach’s picture

robloach
he/him
commented
Status: Needs review » Fixed

http://drupal.org/node/216404

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.