The api documentation for hook_db_rewrite_sql speaks of the ability to use its functions on the comment table, but comment_render() doesn't implement a db_rewrite_sql(). The attached patch fixes this.
I've tested this out with a stock 5.1 install, and it seems to work out great. A well-formed implementation of hook_db_rewrite_sql hides comments as it should. It even threads nicely. For instance, in a comment thread that goes:
1
-2
--3
---4
If comment #3 is restricted by the db_rewrite_sql, it will render as:
1
-2
--4
I think this is a good common-sense patch, and it will enable contributed modules to offer much more fine-grained permissions for viewing comments.
Comment | File | Size | Author |
---|---|---|---|
#16 | comment_db_rewrite_sql_backport5.patch | 1.8 KB | mcarbone |
#12 | comment-db_rewrite_sql-128165-12.patch | 1.22 KB | webchick |
#7 | comment_db_rewrite_sql6.patch | 1.1 KB | joshk |
#3 | comment_sql_rewrite6.patch | 1.12 KB | joshk |
comment_render.patch | 1.17 KB | joshk | |
Comments
Comment #1
joshk CreditAttribution: joshk commentedFWIW, the code I've added is:
There was some concern that db_rewrite_sql would set the nid to DISTINCT. Because this is about the comments table, we've got no worries. :)
Comment #2
joshk CreditAttribution: joshk commentedUpdated status and assigned to me. If possible, I think this should get into 5.2 as it's fully backwards compatible and exhibits a best practice.
Comment #3
joshk CreditAttribution: joshk commentedRe-rolled for Drupal 6. This is an important addition to allow developers to write modules which implement nuanced access control over commetns.
Comment #4
nedjoI think it makes sense to rewrite comment queries.
A particular use case I've had is in the Content Blocker module. Users can select to block all content posted by a given user. This is implemented through
db_rewrite_sql()
. However, it is not feasible to block comments short of a theme override, see this issue http://drupal.org/project/issues/contentblocker. Comment sql rewriting is what's needed there.There are many other queries on the comments table besides the two covered in this patch. I assume many of those queries should be rewritten as well.
Comment #5
moshe weitzman CreditAttribution: moshe weitzman commentedpatch looks good, except don't pass any 4th argument to db_rewrite_sql(). thats for query hinting, not SQL arguments like db_query().
Comment #6
moshe weitzman CreditAttribution: moshe weitzman commentedwe should not ship 6 without this, and should be backported to 5 IMO.
Comment #7
joshk CreditAttribution: joshk commentedpatch looks good, except don't pass any 4th argument to db_rewrite_sql(). thats for query hinting, not SQL arguments like db_query().
Re-rolled.
Comment #8
joshk CreditAttribution: joshk commentedwe should not ship 6 without this, and should be backported to 5 IMO.
Backport patch/issue: http://drupal.org/node/147725
Comment #9
moshe weitzman CreditAttribution: moshe weitzman commentedComment #10
drummMarked http://drupal.org/node/39685 as a duplicate of this.
Comment #11
Gábor HojtsyWhile you rewrite the full SQL, you do not rewrite the pager (count) SQL, so the pager would be incorrect with a restricted result set coming from the full query.
Comment #12
webchickI believe this addresses Gabor's comments.
Comment #13
pwolanin CreditAttribution: pwolanin commentedpatch code looks fine - it's a simple change.
Comment #14
webchickOk, then...
Comment #15
Gábor HojtsyOK, committed!
Comment #16
mcarbone CreditAttribution: mcarbone commentedSince drumm marked the backport thread as a duplicate, here's a backport to 5 of this patch with Gabor's comments addressed.
Comment #17
drummThis will need either Dries's or Steven's review. I wrote a similar patch awhile ago, a coworker wrote the backport, and I share an office with the original author. This could be viewed as an API change since it is a new query type being rewritten. Looks like Moshe is in favor of backporting, so I will leave it for further review. My position is neutral.
Comment #18
catchDon't think this is critical for 5.x.
Comment #19
drummIt is simply a bit too late for this for 5.x. 6.0 will be out soon enough.
Comment #20
Crimson CreditAttribution: Crimson commentedJust because 6.0's release is looming in the future doesn't mean that this has to be abandoned. People still have a use 5.x and probably want to see this bug squished. So I'm changing the status back and await for to code review.
Comment #21
webchickIt's an API change, so we can't get it in 5.x. I think that's what drumm was saying.
Comment #22
mcarbone CreditAttribution: mcarbone commentedDrumm's point has merit, but I don't see why this is an API change. As far as I can tell, a forgotten db_rewrite_sql is a bug, as the presentation of comments cannot be controlled as one would expect.
Comment #23
drummI would only really trust {node} to work for db rewriting in Drupal 5. The other things simply are not as important.
Comment #24
mcarbone CreditAttribution: mcarbone commentedIn that case, we should switch this to "minor" bug status.
Comment #25
webchickNo, I think we set it to 6.x and mark it fixed. Drumm has as much as said this won't be considered for 5.x.
Comment #26
(not verified) CreditAttribution: commentedAutomatically closed -- issue fixed for two weeks with no activity.
Comment #27
robeano CreditAttribution: robeano commentedThank you for this patch. Works well on my 5.8 site.