I have found that since the node_rewrite_sql() patch has been applied the node_access doesn't seem to be working. I have tracked it down to the node_access_join_sql() and node_access_where_sql in which it checks for the existance of the access_grants hook.

This hook access_grants doesn't actually exist, and should really be the node_grants() hook. This is actually stopping the node_rewrite_sql() from working.

Attached is a patch to correct this.

CommentFileSizeAuthor
#2 node_23.patch1.22 KBchx
node_22.patch1.24 KBgordon
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

gordon’s picture

Priority: Normal » Critical

Looking at this more, I beleive that this is critical because of the incorrect checking of the node_grants hook every user is able to see all nodes, but I have a feeling that they maybe able to see the teaser.

chx’s picture

FileSize
1.22 KB

While you are right about the fact that I have made a bug here, the fix is also wrong. node_access_grants calls module_invoke_all('node_grants') so indeed module_implements('node_grants') is needed. module_implements('node_grants') will an array with the names of the modules which implement hook_node_grants. If there are none, it will return an empty array. The array('node') thing was required for access_grants, 'cos node_access_grants always exists. Not so with node_node_grants -- this never exists.

Enough chit-chat, let's see the patch.

gordon’s picture

Ah, I actually thought that I saw the function node_node_grants(). I think we need to get this in asap, esp if people are using the node_priv_byrole module.

Dries’s picture

Committed to HEAD. Thanks chx.

Anonymous’s picture