Hi Nancy,

since I've installed 6.x-1.1 in D6.4, every user who has not the permission to access site notes (these are the 'unauthorized visitor' as well as all registered users but #1 on my test site) gets the message on every page:

user warning: Unknown column 'type' in 'where clause' query: SELECT DISTINCT(nc.nid) FROM node_comment_statistics nc INNER JOIN node_access na ON na.nid = nc.nid WHERE (na.grant_view >= 1 AND ((na.gid = 0 AND na.realm = 'all') OR (na.gid = 1 AND na.realm = 'node_privacy_byrole_role') OR (na.gid = 0 AND na.realm = 'node_privacy_byrole_user'))) AND (type <> 'sitenotes') AND ( nc.comment_count > 0 )ORDER BY nc.last_comment_timestamp DESC LIMIT 0, 10 in /var/www/vhosts/example.com/httpdocs/modules/comment/comment.module on line 314.

The only bypass I can see to get rid of this message: to grant everyone the permission but to deprive them of the reachability... as far as possible...

Comments

Garnerin’s picture

Garnerin commented

The warning keeps displaying with the dev version of 2008-Sep-17 just as well.

stevenghines’s picture

stevenghines commented

I'm getting it as well with 5.x-1.4; error message is

Unknown column 'type' in 'where clause'; query: SELECT nc.nid FROM node_comment_statistics nc WHERE (type <> 'sitenotes') AND ( nc.comment_count > 0 ) ORDER BY nc.last_comment_timestamp DESC LIMIT 0, 10 in /includes/database.mysql.inc on line 172.

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented
Assigned: Unassigned » nancydru
Status: Active » Fixed

I committed a fix to tighten up my checks on which db_rewrite_sql's I intercept. This should be in the -dev release that rolls out around midnight GMT. Please test it and make sure. Thanks.

markus_petrux’s picture

markus_petrux commented
Status: Fixed » Needs work

While the last patch seems to fix the problem, there may be situations where $primary_table has a different value, so this would expose sitenotes nodes to other users.

Instead, you could use the value in $primary_table to append sitenotes condition.

function sitenotes_db_rewrite_sql($query, $primary_table, $primary_field, $args) {
  $return = array();
  // Check for node query if the user shouldn't see sitenotes.
  if ($primary_field == 'nid' && !user_access('access site notes')) {
    $sql = drupal_strtolower($query);
    // Locate the WHERE clause if there is one.
    if ($where = strpos($sql, ' where ')) {
      // If the query noes not already have 'type=' then add our test.
      if (!(strpos($sql, 'type=', $where + 6) || strpos($sql, 'type =', $where + 6) || strpos($sql, 'type in', $where + 6))) {
        $return['where'] = $primary_table .".type <> 'sitenotes'";  // <--- here we can use $primary_table value
      }
    }
  }
  return $return;
}
nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented
Status: Needs work » Fixed

Good point, thanks.

jupiterchild’s picture

jupiterchild commented

I am running 5.x-1.4 on 2 sites. On one site I get the same error as #2 on the other site Site Notes works fine.

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented

You need the -dev version.

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.