Currently, FeedsNodeProcessor simply saves nodes using node_save without doing any sort of authorization or permissions-checking, such that even nodes with "anonymous" as author can be created. I understand that this is okay in most circumstances, since it's assumed that the person importing nodes (where permissions are checked) is the same person actually creating the content. However, in many cases the person importing is not the person who created the content (obviously, since the author field can be mapped)- with the Mailhandler module for instance, anyone can submit content via email, and users should not be able to create content if they do not have appropriate permissions.

Thus, we'd like to see FeedsNodeProcessor check permissions via whatever mechanism before saving content.

Corresponding issue in Mailhandler queue: #1029352: Cleaning up authentication, and other high-level restructuring

CommentFileSizeAuthor
#2 feeds-1041646-2.patch1.64 KBdanepowell

Comments

danepowell’s picture

Issue tags: +mailflow 2.x

Tagging to keep track of issues related to the mailhandler-2.x/notifications-4.x workflow

danepowell’s picture

Status: Active » Needs review
StatusFileSize
new1.64 KB

This patch adds an option to the processor settings to check permissions when updating or creating nodes, and implements authorization before node_save.

obrienmd’s picture

Status: Needs review » Reviewed & tested by the community

Worked for me, marking as RTBC.

tobby’s picture

Status: Reviewed & tested by the community » Closed (fixed)