I have found that since the node_rewrite_sql() patch has been applied the node_access doesn't seem to be working. I have tracked it down to the node_access_join_sql() and node_access_where_sql in which it checks for the existance of the access_grants hook.

This hook access_grants doesn't actually exist, and should really be the node_grants() hook. This is actually stopping the node_rewrite_sql() from working.

Attached is a patch to correct this.

CommentFileSizeAuthor
#2 node_23.patch1.22 KBchx
node_22.patch1.24 KBgordon

Comments

gordon’s picture

gordon commented
Priority: Normal » Critical

Looking at this more, I beleive that this is critical because of the incorrect checking of the node_grants hook every user is able to see all nodes, but I have a feeling that they maybe able to see the teaser.

chx’s picture

chx commented
StatusFileSize
new node_23.patch1.22 KB

While you are right about the fact that I have made a bug here, the fix is also wrong. node_access_grants calls module_invoke_all('node_grants') so indeed module_implements('node_grants') is needed. module_implements('node_grants') will an array with the names of the modules which implement hook_node_grants. If there are none, it will return an empty array. The array('node') thing was required for access_grants, 'cos node_access_grants always exists. Not so with node_node_grants -- this never exists.

Enough chit-chat, let's see the patch.

gordon’s picture

gordon commented

Ah, I actually thought that I saw the function node_node_grants(). I think we need to get this in asap, esp if people are using the node_priv_byrole module.

dries’s picture

dries commented

Committed to HEAD. Thanks chx.

Anonymous’s picture

(not verified) commented