Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Based on similar discussion in 12542, this patch changes permissions to use a delimiter. This ensures that user_access() and user_roles() calls always return the correct result for a given permission by essentially searching for '%|permission|%' rather than '%permission%' (which may yield incorrect results with similarly-named permissions).
Comments
Comment #1
killes@www.drop.org commentedThere is no patch.
Comment #2
killes@www.drop.org commentedThe problem is no there wouldn't be a delimiter, the problem is that the INSERT works like this:
db_query("INSERT INTO {permission} (rid, perm) VALUES (%d, '%s')", $role->rid, implode(', ', array_keys($edit[$role->rid])));
I think it should be
db_query("INSERT INTO {permission} (rid, perm) VALUES (%d, '%s')", $role->rid, ','. implode(', ', array_keys($edit[$role->rid])) .',' );
then you can look for ,perm,
Comment #3
chx commentedthis is partially fixed in user_access , user_roles is not yet fixed but as that function is rarely used with parameters, I am downgrading this to minor.
Comment #4
magico commentedWhat are the real consequences of this bug? In what situations?
Comment #5
killes@www.drop.org commentedif (isset($perm[$account->uid])) {
return strpos($perm[$account->uid], "$string, ") !== FALSE;
}
as I see it you will get a wrong result if you have too permissions "foo" and "bar foo". If the user has the "foo" permission, he'll automatically have the "bar foo" permission too. I admit it is unlikely to be a real problem but it might screw up somebody badly and he'd have a hard time figuring it out.
Comment #6
stevenpatzis this still an issue?
Comment #7
mdupontClosing.