"create url aliases" access needed?
| Project: | Click2Bookmark |
| Version: | 5.x-1.0 |
| Component: | Code |
| Category: | support request |
| Priority: | normal |
| Assigned: | ericdes |
| Status: | postponed (maintainer needs more info) |
I set this up on a drupal 5.1 core and found that I needed to give "create url aliases" rights to those roles that I allow to add bookmarks. This seems like a bug and a potential security issue(I don't want to give those roles that right).
I dug deeper and found the problem starts with the use of node_load() in _click2bookmark_bookmark_add() function. It doesn't retrieve the $node-path value unless the above right is given.
Is this an issue for everyone or is it just my setup (using Views, pathauto, etc) ?
Currently, Click2Bookmark is using node paths and titles to save to its database table and not node IDs (NIDs). Would saving the NIDs instead overcome this issue (i.e. not require "create url aliases") ? The l() function can then be used to get the alias path for displaying. Though I think node title may still need to be gotten via direct SQL queries to {node}.
Alternatively, if the table structure remains, perhaps we could use the SQL queries to {node} in place of node_load.
Would be glad to contribute some patches if there's some direction on this from the maintainers.
#1
Well, I've gone ahead done the patch for doing away for node_load.
While I believe that technically this issue is probably to be resolved with changing path.module's load action's access control, changing this module is probably faster and does away with the dependency (no doubt it's a little more code to maintain), and I'm not sure I fully comprehend the reasons for protecting node_load with that access control to propose changes in what is a core module.
#2
Thank you for bringing this up. I'm also concerned about giving the "create url aliases" rights to any users with the bookmarks rights. I'll look into your patch and make a correction in the next release.
#3
Freeman... I was able to use the click2bookmark module without the 'create url aliases' rights. If someone has the same problem could you add a note in this issue?
#4
I suspect this is my issue as well ...
... The node gets put into the click2bookmark table fine, but the path column is empty. I have not enabled create_url_aliases right (and will not be!), but I tracked the problem to $node->path not being loaded before i started looking here. :)