Tags should only be displayed to a user if they have permission to see at least one of the nodes tagged with that term. Currently a block of tags is displayed to an anonymous user even if they have no rights to access nodes. It also affects sites using different node-based permissions or the organic groups permissions system.

I think the weighting should also be dependent on the number of nodes they are able to see, not the total number of nodes tagged with that term.

CommentFileSizeAuthor
#18 after.PNG3.59 KBAlex Regenbogen
#17 before.PNG3.82 KBAlex Regenbogen
#13 tagadelicpermissions2-cvs.diff.txt1.12 KBgeodaniel
#10 tagadelicpermissions-cvs.diff4.52 KBgeodaniel
#8 tagadelicpermissions.diff3.69 KBgeodaniel
#2 tag_permissions.diff.txt3.18 KBgeodaniel

Comments

Bèr Kessels’s picture

Bèr Kessels commented
Assigned: Unassigned » Bèr Kessels
Priority: Normal » Critical

This is rather important.

geodaniel’s picture

geodaniel commented
StatusFileSize
new tag_permissions.diff.txt3.18 KB

I've rolled a patch that checks the permissions of nodes that tags refer to, and as long as at least one of those is accessible to the user then the tag is displayed. The number of nodes a user is allowed to see is then used to calculate the size, not the number of those tags across the whole site.

This may not scale well for large tag clouds as a query is made for each tag in the cloud.

geodaniel’s picture

geodaniel commented
Status: Active » Needs review
Bèr Kessels’s picture

Bèr Kessels commented

The patch looks good. but it fails. Can you please update it to the latest HEAD?

geodaniel’s picture

geodaniel commented
Status: Needs review » Needs work

I've just tried to set up an install of HEAD and the latest OG and Tagadelic modules, but I can't get into either of their settings pages now that the settings pages have been depreciated. I'll come back and try and get this patch working once the settings pages for those modules are up and running.

catch’s picture

catch
he/him
Primary language English
commented

I'm also getting restricted tags displayed to anonymous and other user groups using the taxonomy access control module

ju.ri’s picture

ju.ri commented

i would also be very interested in this. quite essential for a site with many organic groups. many thanks for looking into it :)

geodaniel’s picture

geodaniel commented
Version: master » 4.7.x-1.x-dev
StatusFileSize
new tagadelicpermissions.diff3.69 KB

I've updated this patch to go against the current 4.7 version of the module. (Will hold off on CVS/5.0 one until the first RC is out).

Due to the potentially large number of database calls this patch could make, I've also added in a setting that allows the admin to choose whether or not they want these permissions to be cheched for each tag (and set the default to no).

geodaniel’s picture

geodaniel commented
Status: Needs work » Needs review
geodaniel’s picture

geodaniel commented
Version: 4.7.x-1.x-dev » master
StatusFileSize
new tagadelicpermissions-cvs.diff4.52 KB

Ah, I see the HEAD version is still 4.7 based, so I've gone ahead and patched that as well.

Bèr Kessels’s picture

Bèr Kessels commented
Status: Needs review » Needs work

This needs to be improved, or else done a different way. I think we should look at the db_rewrite_sql instead.
This patch will be such a huge performance bottleneck that I cannot consider applying this as it is.

geodaniel’s picture

geodaniel commented

Argh. The voice of reason :) Ok, I'll check into db_rewrite_sql and see if it can be done more intelligently than the current patch.

geodaniel’s picture

geodaniel commented
Status: Needs work » Needs review
StatusFileSize
new tagadelicpermissions2-cvs.diff.txt1.12 KB

This patch should reduce the overhead - it does a query (through db_rewrite_sql on the node table) to get the node id's the user is allowed to access and then uses them in the main query to see if the nid from term_node is in that list. Does that reduce it to an acceptable level?

Should this be something that taxonomy.module does on its own instead of relying on contrib modules to each check on their own?

(I tried to limit this using db_rewrite_sql / hook_db_rewrite_sql but couldn't quite get my head around it)

Bèr Kessels’s picture

Bèr Kessels commented

db_rewrite_sql()

Rewrites node, taxonomy and comment queries. Use it for listing queries. Do not use FROM table1, table2 syntax, use JOIN instead.

Can we not simply pass the 'SELECT COUNT(*) AS count ...' trough the db_rewrite_sql()?

Bèr Kessels’s picture

Bèr Kessels commented
Priority: Critical » Normal

There seems to be little interest, throttling down the Priority.

Bèr Kessels’s picture

Bèr Kessels commented

Anyone care to review?

Alex Regenbogen’s picture

Alex Regenbogen commented
StatusFileSize
new before.PNG3.82 KB

Looks like this does the trick.
I've got e few tags here that I'm not using for the general public.. And there not showing up after the patch.
Can't make statements about the performance though, since I'm not using a lot of tags to organize my posts in ;)

This fine module has made it into the list of modules for my upgrade-project (4.7 -> 5.0)!

Alex Regenbogen’s picture

Alex Regenbogen commented
StatusFileSize
new after.PNG3.59 KB

Sorry for the duplicate reply, forgot to 'merge' the two screenshots... ;)

Bèr Kessels’s picture

Bèr Kessels commented
Status: Needs review » Needs work

Reviewed the code. Its not an option this way: 

+  $nodes = db_query(db_rewrite_sql("SELECT n.nid FROM {node} n"));
+  while ($node = db_fetch_object($nodes)) {
+    $allowed[] = $node->nid;
+  }

Imagine what happens when you have 62840 nodes? Innacceptible, this needs a better solution.
1) The overhead: looping trough 100.000 items is not an option.
2) The limit: IN() allows only so much entries, If I am not mistaken, only 255. This solution will trow warnings when you go over that limit.
3) The SQL overhead: an IN() is rather expensive. This slows down stuff a LOT.
4) The SLQ-over-the-Line: your SQL query itself will grow huge requiring a lot of stuff to be passed to-and-from Mysql server: requires a lot of memory.

wallan’s picture

wallan commented

Subscribing...

ednique’s picture

ednique commented

Same problem here...
People seeing the tags but no nodes for them...

Any other idea's for fixing this issue ???

ednique’s picture

ednique commented

Ok, I made it work using db_rewrite_sql() on my 4.7.x-dev instance...
Use this query in the tagadelic_get_weighted_tags() function:

// initial db_rewrite = node; second = term access
  $sql = db_rewrite_sql(db_rewrite_sql('SELECT COUNT(*) AS count, d.tid, d.name, d.vid FROM {term_data} d INNER JOIN {term_node} tn ON d.tid = tn.tid INNER JOIN {node} n ON n.nid = tn.nid WHERE d.vid IN ('. substr(str_repeat('%d,', count($vids)), 0, -1) .') GROUP BY d.tid, d.name, d.vid ORDER BY count DESC'),'tn','tid');
  $result = db_query_range($sql, $vids, 0, $size);
geodaniel’s picture

geodaniel commented
Status: Needs work » Needs review

I haven't had a chance to try this out but it sounds like a good solution if it's working as expected through db_rewrite_sql.

ednique’s picture

ednique commented

It works... juist make sure you do NOT test it with the admin account... For admins the sql is NOT rewritten... as they can see all...

Bèr Kessels’s picture

Bèr Kessels commented

http://drupal.org/node/132759 was marked duplicate of this issue
http://drupal.org/node/164243 was marked duplicate of this issue

Bèr Kessels’s picture

Bèr Kessels commented
Status: Needs review » Closed (duplicate)

I am closing this issue and merging it with http://drupal.org/node/84095

Bèr Kessels’s picture

Bèr Kessels commented

Continued at http://drupal.org/node/141682