Currently, FeedsNodeProcessor simply saves nodes using node_save without doing any sort of authorization or permissions-checking, such that even nodes with "anonymous" as author can be created. I understand that this is okay in most circumstances, since it's assumed that the person importing nodes (where permissions are checked) is the same person actually creating the content. However, in many cases the person importing is not the person who created the content (obviously, since the author field can be mapped)- with the Mailhandler module for instance, anyone can submit content via email, and users should not be able to create content if they do not have appropriate permissions.
Thus, we'd like to see FeedsNodeProcessor check permissions via whatever mechanism before saving content.
Corresponding issue in Mailhandler queue: #1029352: Cleaning up authentication, and other high-level restructuring
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | feeds-1041646-2.patch | 1.64 KB | danepowell |
Comments
Comment #1
danepowell commentedTagging to keep track of issues related to the mailhandler-2.x/notifications-4.x workflow
Comment #2
danepowell commentedThis patch adds an option to the processor settings to check permissions when updating or creating nodes, and implements authorization before node_save.
Comment #3
obrienmd commentedWorked for me, marking as RTBC.
Comment #4
tobby commentedThanks for the patch. This has been committed. http://drupal.org/commitlog/commit/11690/f0a819829996e0c8b3c841bbc0422d9...