Closed (fixed)
Project:
RESTful Web Services
Version:
7.x-2.x-dev
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
7 Aug 2012 at 15:11 UTC
Updated:
4 Jan 2014 at 02:24 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
fagoefq usually applies node access grants by default (what sucks), look for the respective tags.
Comment #2
sepgil commentedCouldn't find any other solution, than to call RestWSResourceControllerInterface::access() for each entity efq has retrieved. However I'm not sure, what to do if the user no access to a node. For now it simply filters those entities out.
Comment #3
klausiwhat about paging? Filtering out entities afterwards will clash with the count query for paging, right?
And as fago said EFQ should use the node access tag per default, why does that not work in our case?
Comment #4
sepgil commentedYou are right, the patch above will break the paging.
node_access works just for nodes, and we should respect the permissions for all entities, but I currently don't know how.
This new patch, add the node_access tag, which has to be set explicit for each query.
Comment #5
klausiThe tag should only be added if the resource type is node.
And this needs a test case. An unpublished node must not show up in query results for unprivileged users.
Comment #6
sepgil commented-removed-
Comment #7
sepgil commentedAfter a lot of debugging klausi and I found out that node_access doesn't checks for published/unpublished node (details here). So this patches checks if the user lacks the right permission and adds a propertyCondition() with status=1. I ignored the permission view own unpublished content, since we would have to check it against each loaded node...
Comment #8
sepgil commentedforgot to post the patch
Comment #9
klausiwrong patch?
Comment #10
sepgil commentedGot confused with all the similiar issue numbers, sorry.
here is the right patch.
Comment #11
klausiCommitted a slightly modified version of this patch.