Last updated June 30, 2011. Created by webchick on June 30, 2011.
Edited by firfin, chx. Log in to edit this page.
Previously, for every node listing query, you only needed to add $query->addTag('node_access'); Now, you also need to add $query->addMetaData('base_table', $name_of_table_holding_the_nid);. For example:
<?php
$query = db_select('taxonomy_index', 't');
+ $query->addMetaData('base_table', 'taxonomy_index');
$query->addTag('node_access');
$query->condition('tid', $tid);
?>As of 7.3, core is able to discover the base table and so this change is optional. However, there's a slight performance hit if the base_table metadata is not defined explicitly, and in later versions it might become required to specify the base table this way. If your code is doing db_select('node') then the performance hit is negligible and there are no plans to mandate an $query->addMetaData('base_table', 'node'); for these queries.
Comments
need or should?
The messages around this are a little confusing. In the email (a security-news update indicating a critical fix) it says
"Note that fixing this issue in contributed modules requires a backwards-compatible API change for modules listing nodes. See
http://drupal.org/node/1204572 [3] for more details."
However the text above seems to indicate that the change above is optional. Not required. There's a slight performance hit if it is not explicitly defined.
As a user of a bunch of contrib modules (but not necessarily a developer of) is there any action I should be taking?
Thanks