Closed (fixed)
Project:
FAQ_Ask
Version:
6.x-2.x-dev
Component:
User interface
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
6 Feb 2011 at 13:58 UTC
Updated:
22 Mar 2012 at 21:00 UTC
When a user removes the "?ask=TRUE" querystring from the url, he is able to enter a complete FAQ entry (question plus answer), which immediately appears on the website unmoderated.
This makes the use of this module totaly useless, because users can bypass moderation of the FAQ very easily now.
Comments
Comment #1
stenjo commentedImplemented the suggested fix in #432408: Role with "ask question" cannot ask, comment #22 and 23, by kcarwile and jlea9378 in 6.x-2.x-dev version. That should take care of this issue. Needs testing. Give me feedback if this works for you.
/Sten
Comment #2
Boletus commentedThe existing 6.x-2-x-dev version still shows the body text field to anonymous users if you remove "ask=TRUE" from the URL. So I guess it's not fixed?
Comment #3
stenjo commentedDue to me learning a lot about Git, this was redone in a later commit. Should be updated again now. Please verify that the latest 6.x-2.x-dev version actually does not have this flaw any more.
Comment #4
deck7uk commentedThis issue also exists with the 7 branch. The fix is very similar, just add this inside function faq_ask_form_faq_node_form_alter....
global $user;
if (user_access('ask question', $user) && !user_access('answer question', $user))
$_GET['ask'] = 1;
the $form_id variable is no longer required.
Comment #5
stenjo commentedI'd prefer to have a separate issue for that. Need to keep track of how this fix is doing on the 6.x-2.x version.
Comment #6
stenjo commented