I'm not sure if this is how it's supposed to be or if I missed a setting. As long as you can log in you can edit anyone else's nodes by changing arg(2) in the url argument, for example anyone who can log in could type in nodefamily/[nodeprofile]/1 and then they could freely edit my [the admins] nodeprofile. I think the reason is because it only checks user_access('access content'); when nodefamily generates the page.

To fix this I went to the function nodefamily_lonely_node_page_args [line:664]

I changed [line:676]:

return nodefamily_lonely_node_page($typename, $uid);

To:

  // Only allow user to edit their own node and show page not found for nodefamily/nodeprofile/$user->uid if not admin
  if( user_access('administer nodes') || !$uid )
  {
 	 return nodefamily_lonely_node_page($typename, $uid);
  }

  drupal_not_found();

Basically saying only the admin can access nodefamily/nodeprofile/$user->uid, users can still use nodefamily/nodeprofile to edit their own profile they just cant mess with others via the URL. Hopefully something like this could be put it in the correct place, this was just a quick fix for me and I'm not sure if its working entirely, but no problems so far.

I had one other check on global and $uid which is arg(2):

if( $GLOBALS['user'] == $uid ){}

But it was pointless for me, because the user will only need to edit their own profile, which they can do via nodefamily/nodeprofile.

Hope this helps.

Comments

fago’s picture

fago
Primary language German
Location Vienna
commented
Status: Active » Fixed

I just had a look at this and luckily you are wrong.

    if (node_access('update', $node)) {
      //show edit form
      return node_form($node);
    }

This checks the node access correctly. So check your access control settings!

WhatTheFawk’s picture

WhatTheFawk commented
Status: Fixed » Postponed (maintainer needs more info)

Ok, can you point me to the line? I don't see that anywhere in nodefamily.module in either HEAD or 5.x-1.x-dev. My access controls are set to allow registered users to "edit own nodeprofile content" and "create nodeprofile content" so I think thats ok.

Usernode is set to "edit own usernode".

I realized I don't even have to log in to go to nodefamily/nodeprofile/1 and edit it. I'm pretty sure I'm using the newest module release. Any other ideas what it could be? The fix I have works so I guess I'll just leave it for now, but I don't see the code you just told me anywhere in the module, instead I see:

/**
 * Provide a unique URL for adding/editing nodes of types
 * with a maximum population of one.
 */
function nodefamily_lonely_node_page_args() {

  $types = node_get_types();
  $typename = arg(1);
  
  if (!$types[$typename] || nodefamily_content_type_get_max($typename) != 1) {
    drupal_not_found();
    exit;
  }
  
  $uid = (arg(2) && is_numeric(arg(2))) ? arg(2) : NULL;

  return nodefamily_lonely_node_page($typename, $uid);
}  


function nodefamily_lonely_node_page($typename, $uid = NULL) {
  global $user;
  
  $node = node_load(array('type' => $typename, 'uid' => $uid ? $uid : $user->uid));
  
  if (!$node) {
    // show add form
    return node_add($typename);
  }
  else {
    return node_page_edit($node);
  }
  drupal_not_found();
}

No mention of node_access...

WhatTheFawk’s picture

WhatTheFawk commented

I just noticed it is in nodefamily 4.7.x-1.0 but not HEAD or 5.x-1.x-dev.

WhatTheFawk’s picture

WhatTheFawk commented
Title: Anyone can edit anyone elses associated family node. » Anyone can access nodefamily/[CONTENT_TYPE]/[USER_ID] in 5.x-1.x-dev
Status: Postponed (maintainer needs more info) » Active

Sorry couldn't figure out how to edit post, just trying to get this noticed again to confirm if the 5.x-1.x-dev and HEAD version on the site are up-to-date.

fago’s picture

fago
Primary language German
Location Vienna
commented

ah, you are right. sry, I had overlooked that this issue is about 5.x.

I've just committed the fix,
thanks for reporting!!

fago’s picture

fago
Primary language German
Location Vienna
commented
Status: Active » Fixed

ah forgot to set this to fixed.

again a short summary:
4.7.x users: don't worry
5.x users: upgrade to the latest dev-release!

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)