When a user removes the "?ask=TRUE" querystring from the url, he is able to enter a complete FAQ entry (question plus answer), which immediately appears on the website unmoderated.

This makes the use of this module totaly useless, because users can bypass moderation of the FAQ very easily now.

Comments

stenjo’s picture

Version: 6.x-2.1 » 6.x-2.x-dev
Assigned: Unassigned » stenjo
Status: Active » Needs review

Implemented the suggested fix in #432408: Role with "ask question" cannot ask, comment #22 and 23, by kcarwile and jlea9378 in 6.x-2.x-dev version. That should take care of this issue. Needs testing. Give me feedback if this works for you.

/Sten

Boletus’s picture

The existing 6.x-2-x-dev version still shows the body text field to anonymous users if you remove "ask=TRUE" from the URL. So I guess it's not fixed?

stenjo’s picture

Due to me learning a lot about Git, this was redone in a later commit. Should be updated again now. Please verify that the latest 6.x-2.x-dev version actually does not have this flaw any more.

deck7uk’s picture

Version: 6.x-2.x-dev » 7.x-1.x-dev

This issue also exists with the 7 branch. The fix is very similar, just add this inside function faq_ask_form_faq_node_form_alter....

global $user;
if (user_access('ask question', $user) && !user_access('answer question', $user))
$_GET['ask'] = 1;

the $form_id variable is no longer required.

stenjo’s picture

Version: 7.x-1.x-dev » 6.x-2.x-dev

I'd prefer to have a separate issue for that. Need to keep track of how this fix is doing on the 6.x-2.x version.

stenjo’s picture

Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.