The attached patch resolves an issue where the global $user is changing behind the scenes. In that case, the storage of premium_access inside the node array is inappropriate, as the value stored may not be correct at the time nodeapi:load is called.

What is the problem: Premium stores away the access value, premium_access, inside the node variable, granting access or non-access for the life of the node. But it's not valid for the life of the node. It should only be valid at the time nodeapi op==load is called.

How to demonstrate: A node is created and accessed. Sometime later in the execution $user is changed. $node->premium_access is no longer correct.

The solution: Don't cache the value in the node object, just check at the nodeapi time whether access should be granted.

CommentFileSizeAuthor
#2 premium.dont_cache_access_status.patch1.32 KBrfay
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

hefox’s picture

hefox CreditAttribution: hefox commented

(The patch is not there D:!)

possible could fix this also with the patch

function _premium_access($node, $teaser) {
  global $user;  // this is missing
    .... 
    if (is_bool($access = $function($user, $node))) { // cough
rfay’s picture

rfay
Primary language English
Location Palisade, CO, USA
CreditAttribution: rfay commented
FileSize
premium.dont_cache_access_status.patch1.32 KB

Sorry! Here's the patch. That happened to me more than once that night. I don't think it was me, either.

mikl’s picture

mikl CreditAttribution: mikl commented
Status: Needs review » Needs work

Hi Randy,

This is a very sensible change. I'd very much like to merge it into my Premium-fork, but it'll probably need a reroll :)

http://drupal.org/sandbox/mikl/1078824

mikl’s picture

mikl CreditAttribution: mikl commented
Project: Premium » Premium content
Version: 6.x-1.0-alpha1 » 6.x-1.0-alpha2

I plan to fix this soon :)

mikl’s picture

mikl CreditAttribution: mikl commented
Version: 6.x-1.0-alpha2 » 6.x-1.x-dev

I was pondering this, and I can't see a good way to implement this without breaking backwards compatibility. It's common to rely on $node->premium_access in templates, etc., so removing it would be troublesome.

I can't really think of a scenario where the uid changes from when the node is loaded to when it's displayed. Is this a common issue?

BenK’s picture

BenK CreditAttribution: BenK commented

Subscribing

Taxoman’s picture

Taxoman CreditAttribution: Taxoman commented

@rfay; which situations would cause a change of $user after a node is created and accessed, without this being a legitime logout/login? Can that happen within the same login session, without resetting the session cookie?

tanc’s picture

tanc
he/him
Primary language English
Location Italy
CreditAttribution: tanc commented

Hi Mikl, just in my basic testing I came across this issue immediately. I've opened an issue without realising it was a duplicate of this one #1328964: Permissions issues on cached nodes

The problem is that Drupal heavily caches the node objects, especially in D7 so there is no guarantee the cached object will apply to different users/roles. I think the only way around this is to call the access check on hook_node_view as well. I'm also having to add an access check when rendering custom lists using the Bean module. I'm not sure if there is a central way of doing this without custom calls to premium_user_content_access().

esolitos’s picture

esolitos
he/him
Primary language Italian
Location Trondheim
CreditAttribution: esolitos at Ramsalt Lab commented
Issue summary: View changes
Status: Needs work » Closed (outdated)

Cleaning up issue queue: Version 6.x is not supported.