The domain_content_list function doesn't check whether the user has access to each domain that it returns. As a result, the 'affiliated content' page lists all domains.

Attached is a patch that cleans the function up a bit, and adds this check. Users with 'administer nodes' or 'review content for all domains' are not affected.

CommentFileSizeAuthor
#4 1075926-domain-content.patch2.34 KBagentrickard
#2 d1.patch2.63 KByrro
d1.patch2.48 KByrro

Comments

agentrickard’s picture

agentrickard
he/him
Primary language English
Location Georgia (US)
commented
Status: Needs review » Needs work

'administer nodes' is no longer the proper permission. It is now 'bypass node access'.

yrro’s picture

yrro commented
StatusFileSize
new d1.patch2.63 KB

Changed the permission from 'administer nodes' to 'bypass node access'.

Also fixed a stupid typo: user->domain_user only needs to be looked at if $show_all is not true.

yrro’s picture

yrro commented
Status: Needs work » Needs review
agentrickard’s picture

agentrickard
he/him
Primary language English
Location Georgia (US)
commented
StatusFileSize
new 1075926-domain-content.patch2.34 KB

Odd. Looks like that part was just dropped from the code.

Better to filter the query, since we paginate this if needed. Here's a patch for testing.

yrro’s picture

yrro commented
Status: Needs review » Reviewed & tested by the community

Works for me, thanks!

agentrickard’s picture

agentrickard
he/him
Primary language English
Location Georgia (US)
commented

Cool. Now to test on D6.

agentrickard’s picture

agentrickard
he/him
Primary language English
Location Georgia (US)
commented

Committed to 7.x-2.x and master.

agentrickard’s picture

agentrickard
he/him
Primary language English
Location Georgia (US)
commented
Status: Reviewed & tested by the community » Fixed

This is fine in D6.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.