Closed (fixed)
Project:
Scheduler
Version:
4.7.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
2 May 2006 at 20:03 UTC
Updated:
12 Sep 2006 at 07:52 UTC
Hi,
If a site admin has set the default content types to be "in moderation queue" rather than directly published this moderation can be bypassed by standard users who are granted scheduler access by simply setting a start date.
The SQL code doesn't appear to check the node->moderate field.
The patch above adds in this check.
Note, the supplied patch is made against scheduler.module version 1.34 which has been patched with scheduler.module_2.patch as noted on issue #52545
Regards
--AjK
| Comment | File | Size | Author |
|---|---|---|---|
| scheduler.modile_moderate.patch.txt | 1.04 KB | AjK |
Comments
Comment #1
AjK commentedChanging to "critcal" as I think this may be a wider issue with previous versions of scheduler. More experince Drupal maintainers can decide.
regards
--AjK
Comment #2
AjK commentedsee http://drupal.org/node/52545#32
Comment #3
AjK commentedI closed this bug as another patch I did fixed it. However, the recent rewrite by m3avrck may have re-introduced it.
The bug would apply to 4.7.x versions of Drupal only as the moderation flag has been removed from HEAD.
best regards
--AjK
Comment #4
m3avrck commentedThis doesn't make sense. If you have your nodes set to be in moderation after posted and your SQL ignores nodes with this flag set, then you are ignoring scheduling all together. You should simply have scheduling turned off for this node type. Conversly, don't give users this permission at all when they add nodes and you won't run into this problem.
Seems to be more of an administration issue then a bug.
Comment #5
AjK commentedI disagree. It's a bug imho. The is an instanace whereby you can ensure user input is "moderated" and until a moderator flags a published it stays in the moderation queue.
However, the moderation queue can be by-passed if the user has access to scheduler. All they need to is set a future start date. When the cron hits for scheduler, it set's the status to published regardless of the moderation flag (both end up being set in thos case. Drupal seems to override moderation if status is published).
So, a user can bypass site wide moderation that an admin wants. It's true that not allowing the users to use scheduler aviods the problem, but in that case, why bother having a module that schedules? It's really only an issue on sites that enforce moderation by admins. Most sites don't have that so it doesn't bother those.
Just, I had one site that a) had to have site wide moderation in full and b) allow users to schedule a start / end date for the article. On that site, the bug showed up as things were getting "published" without a moderator even seeing it!
The moderation flag in HEAD has been removed and therefore has no meaning.
best regards,
--AjK
Comment #6
AjK commentedClosing this, no longer an issue I believe (Drupal5 won't have a moderation flag)