Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I believe I have found a bug.
If you goto http://www.etherpunk.com/comment/reply/180 (possibly NSFW) it allows you to view the posting (while you don't have permission to actually post, it still allows the page to get displayed).
I found this out by using awstats on my box and found that a hidden page was getting hit fairly common that I really don't want getting shown (well, it's on the web, I know... but... I'd rather have more controlled access).
Does this belong in the comment section for not obeying TAC?
Can anyone confirm this on their site?
Kenny
Comment | File | Size | Author |
---|---|---|---|
#15 | comment_reply_access_6.patch | 1.87 KB | killes@www.drop.org |
#12 | comment_reply_access_5.patch | 1.65 KB | chx |
#11 | comment_reply_access_4.patch | 1.65 KB | chx |
#10 | comment_reply_access_3.patch | 1.61 KB | chx |
#7 | comment_reply_access_2.patch | 1.56 KB | chx |
Comments
Comment #1
pyromanfo CreditAttribution: pyromanfo commentedThat's definitely something you need to take up with the comment module guys. It's not just taxonomy access control either, it's the core node_access hooks in Drupal. If they'll just check that before displaying a node for reply, that'd fix it no problem.
Comment #2
moshe weitzman CreditAttribution: moshe weitzman commentedfiled under comment.module ... note that my big comment patch gets rid of this page entirely (consolidates under comment/edit) so it might make sense to apply my patch instead of fixing this.
Comment #3
chx CreditAttribution: chx commentedmoshe , http://drupal.org/node/18656 this does not seem to affect the permissions of the comment/reply path.
I think the approach I have taken is blatantly simple: literally check for access.
Comment #4
chx CreditAttribution: chx commentedComment #5
chx CreditAttribution: chx commentedComment #6
chx CreditAttribution: chx commentedComment #7
chx CreditAttribution: chx commentedComment #8
(not verified) CreditAttribution: commentedThe discovery of this patch makes me wonder, whether we shouldn't centralize the access controll a bit more.
If a core module can show this kind of bug, contrib modules will almost certainly. I propose to do a node_access() check inside node_load.
Gerhard
Comment #9
(not verified) CreditAttribution: commentedI also don't think that the patch is working.
node_access(arg(2)) should probably be node_access('view', $node) and the node needs loading before.
Gerhard
Comment #10
chx CreditAttribution: chx commentedOK, patch corrected.
I think adding node_access to node_load would break havoc 'cos there are some routines (even in core) which do not check whether the node_load was successful or not. This is a whole another topic, please make another issue.
What we need, IMHO is to patch this quickly...
Comment #11
chx CreditAttribution: chx commentedI also forgot to check whether node_load was successful or not...
Comment #12
chx CreditAttribution: chx commentedComment #13
(not verified) CreditAttribution: commentedThe patch looks good now. I agree that centralizing the node_access checking should be another task. This patch is needed now and should also be backported to the 4.5 branch.
Gerhard
Comment #14
chx CreditAttribution: chx commentedDries commited.
Comment #15
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedHere's a 4.5 patch. Untested.
Comment #16
(not verified) CreditAttribution: commented