We just started a public beta of our site and i found that the anonymous user can edit any article and blog on the site. We're also running OG User Roles and TAC. Once i uninstalled the domain module everything went back to normal.

i must be doing something wrong.

Comments

agentrickard’s picture

Status: Active » Postponed (maintainer needs more info)

Well, this is still a beta release, and the scenario you describe is overly complicated. You have 3 node access modules running. This behavior has never been reported, so it is likely a conflict between the 3 modules.

Remember that node access is a permission OR system -- unless you install the 'mutiple node access' patch provided -- and installing additional node access modules rebuilds your {node_access} table. My guess would be that the rebuild process wrote some rules into your {node_access} table that caused this behavior. Removing the DA module forces this rebuild again.

Two things to check first -- after reading the Domain Access documentation.

-- Did you give anonymous users the 'edit domain nodes' permission? Or any other permission they should not have?

-- Did you apply the 'multiple_node_access' patch?

Without a dump of your {node_access} table this is near impossible to debug. Additionally, the next beta incorporates some changes that may affect how DA interacts with TAC and OG User Roles.

DA has only been tested in concert with OG, and that seems to work as expected.

agentrickard’s picture

Title: anonymous user can edit content with this module turned on » anonymous user can edit content in some configurations
ben soo’s picture

Hi, and thank you for answering so quickly (i appreciate it especially since i'm a bit of a slug myself).

You know i'm not altogether sure i did apply the patch. i'd lined up a big folder of module patches to go in along with the Dec.6th set of Drupal core code and this one was there, but i can't pull up a memory of actually applying and checking it.

i'll run a mysqlcheck just in case and give it another go.

i'm very certain that anonymous users don't have any access control permissions they shouldn't have.

If this happens again, how do i dump the {node_access} table for you?

It is too complicated to have 3 access modules running, i agree. OG however isn't very usable in terms of inter-group security without OG User Roles, and TAC i found to be generally necessary. Yes, even the 2 of them together is plenty messy; the latest versions and patches for them do make those 2 play nice together.

thanks again,
b

[edit: i just looked and yes, i did add the missing return. That's probably why i have no memory of apply a patch, since it isn't one]

[edit 2: i looked again and saw the 2 files in the patches module. i checked those against the core node.module and common.inc and yes, those were also applied at the time anonymous users were able to edit everything on the site]

agentrickard’s picture

Assigned: Unassigned » agentrickard

I suspect an issue with TAC or OG_Roles and node_access_rebuild().

The easiest thing to do is a raw sql dump of {node_access}. If you use PhpMyAdmin or another control panel style editor, it should be able to hand you that data. A csv or tab-delimited file is fine.

If not, you could add this code to one of your admin pages. (Adding it to the function domain_admin() in the domain.module will print the info out on Domain settings pages). Then you could copy the results to a text file.

$header = array('nid', 'gid', 'realm', 'view', 'update', 'delete');
$rows = array();
$result = db_query("SELECT * FROM {node_access} ORDER BY nid");
while ($data = db_fetch_object($result)) {
  $rows[] = array($data->nid, $data->gid, $data->realm, $data->grant_view, $data->grant_update, $data->grant_delete);
}
print theme('table', $header, $rows);

This should print a table representing your {node_access} table at the top of the page.

agentrickard’s picture

I should note, in case it isn't obvious, this module is in active development and testing. It isn't quite stable, but some folks are working very hard to make it so.

ben soo’s picture

o yes, i've been in the open source world for a decade and a half and understand the nature of it; no worries there. Just very happy you are developing Drupal modules like this that really helps to complete the set of functionality that should be in a good CMS.

i will put that code in and get a dump of the {node_access} table. Meanwhile i'm getting these SQL errors as a user with no special privileges after i change TAC settings for that user role. i was getting them elsewhere but i hadn't set up domains properly so will leave them out of consideration.

Once i change the TAC settings as user 1, i get these errors, as a regular user, in views and panels in place of the actual teasers or node contents.

user warning: Unknown column 'domain' in 'where clause' query: SELECT COUNT(*) FROM node n INNER JOIN node_access na ON na.nid = n.nid INNER JOIN node_access naa ON naa.nid = n.nid LEFT OUTER JOIN og_ancestry ogan ON ogan.nid = naa.nid left outer join term_node trn on trn.nid = naa.nid left outer join term_access ta on ta.tid = trn.tid left outer join og ogm on ogm.nid = naa.nid left outer join og_users_roles ogr on ogr.rid = naa.gid left outer join og_uid ogu on ogu.nid = naa.nid left outer join nodefamily nof on nof.child_nid = naa.nid left outer join usernode un on nof.parent_nid = un.nid LEFT OUTER JOIN acl_node an ON an.nid = naa.nid LEFT OUTER JOIN acl_user aclu ON aclu.acl_id = an.acl_id WHERE (na.grant_view >= 1 AND ((na.realm = 'all' AND na.gid = 0) OR (na.realm = 'content_access_author' AND na.gid = 9) OR (na.realm = 'content_access_rid' AND na.gid = 29) OR (na.realm = 'og_public' AND na.gid = 0) OR (na.realm = 'og_subscriber' AND na.gid = 152) OR (na.realm = 'workflow_access' AND na.gid = 29) OR (na.realm = 'workflow_access_owner' AND na.gid = 9) OR (na.realm = 'term_access' AND na.gid = 29)) AND na.nid IN (SELECT na.nid FROM node_access na WHERE ((na.realm = 'domain_site' AND na.gid = 0) OR (na.realm = 'domain_id' AND na.gid = 0))) ) AND (na.grant_view >= 1 AND ((na.gid = 0 AND na.realm = 'all') OR (na.gid = 9 AND na.realm = 'content_access_author') OR (na.gid = 2 AND na.realm = 'content_access_rid') OR (na.gid = 29 AND na.realm = 'content_access_rid') OR (na.gid = 0 AND na.realm = 'domain_site') OR (na.gid = domain AND na.realm = 'domain_site') OR (na.gid = 0 AND na.realm = 'domain_id') OR (na.gid = domain AND na.realm = 'domain_id') OR (na.gid = 0 AND na.realm = 'og_public') OR (na.gid = 152 AND na.realm = 'og_subscriber') OR (na.gid = 2 AND na.realm = 'workflow_access') OR (na.gid = 29 AND na.realm = 'workflow_access') OR (na.gid = 9 AND na.realm = 'workflow_access_owner') OR (na.gid = 2 AND na.realm = 'term_access') OR (na.gid = 29 AND na.realm = 'term_access')) AND (ogan.group_nid in ('152') AND ta.rid in ('2','29') AND ta.grant_view = true) OR (na.realm = 'content_access_rid' AND ((na.gid in ('2','29')) OR (ogr.uid = 9 AND na.gid = ogr.rid)) AND na.grant_view = 1) OR (na.realm = 'content_access_author' AND na.gid = 9 AND na.grant_view = 1) OR (ogm.nid > 0 and (na.nid in ('152')) or ogm.directory = 1 ) OR (na.realm = 'og_public' AND na.gid = 0) OR (ogr.uid = 9 AND ta.rid = ogr.rid AND ogan.group_nid = ogr.gid AND ta.grant_list = true) OR (nof.child_nid = na.nid AND na.realm = 'term_access' AND un.uid = 9 AND na.grant_view = 1) OR (nof.child_nid = na.nid AND na.realm = 'term_access' AND ta.rid in ('2','29') AND ta.grant_view = true) OR (na.realm = 'acl' AND aclu.uid = 9 AND na.grant_view = 1) OR (ogan.group_nid is null AND na.realm = 'term_access' AND ta.rid in ('2','29') AND ta.grant_view = true) ) AND ( n.type = 'blog' AND n.uid = 9 AND n.status = 1 ) in /www/docs/d5test/includes/database.mysql.inc on line 172.
user warning: Unknown column 'domain' in 'where clause' query: SELECT DISTINCT(n.nid), n.sticky, n.created FROM node n INNER JOIN node_access na ON na.nid = n.nid INNER JOIN node_access naa ON naa.nid = n.nid LEFT OUTER JOIN og_ancestry ogan ON ogan.nid = naa.nid left outer join term_node trn on trn.nid = naa.nid left outer join term_access ta on ta.tid = trn.tid left outer join og ogm on ogm.nid = naa.nid left outer join og_users_roles ogr on ogr.rid = naa.gid left outer join og_uid ogu on ogu.nid = naa.nid left outer join nodefamily nof on nof.child_nid = naa.nid left outer join usernode un on nof.parent_nid = un.nid LEFT OUTER JOIN acl_node an ON an.nid = naa.nid LEFT OUTER JOIN acl_user aclu ON aclu.acl_id = an.acl_id WHERE (na.grant_view >= 1 AND ((na.realm = 'all' AND na.gid = 0) OR (na.realm = 'content_access_author' AND na.gid = 9) OR (na.realm = 'content_access_rid' AND na.gid = 29) OR (na.realm = 'og_public' AND na.gid = 0) OR (na.realm = 'og_subscriber' AND na.gid = 152) OR (na.realm = 'workflow_access' AND na.gid = 29) OR (na.realm = 'workflow_access_owner' AND na.gid = 9) OR (na.realm = 'term_access' AND na.gid = 29)) AND na.nid IN (SELECT na.nid FROM node_access na WHERE ((na.realm = 'domain_site' AND na.gid = 0) OR (na.realm = 'domain_id' AND na.gid = 0))) ) AND (na.grant_view >= 1 AND ((na.gid = 0 AND na.realm = 'all') OR (na.gid = 9 AND na.realm = 'content_access_author') OR (na.gid = 2 AND na.realm = 'content_access_rid') OR (na.gid = 29 AND na.realm = 'content_access_rid') OR (na.gid = 0 AND na.realm = 'domain_site') OR (na.gid = domain AND na.realm = 'domain_site') OR (na.gid = 0 AND na.realm = 'domain_id') OR (na.gid = domain AND na.realm = 'domain_id') OR (na.gid = 0 AND na.realm = 'og_public') OR (na.gid = 152 AND na.realm = 'og_subscriber') OR (na.gid = 2 AND na.realm = 'workflow_access') OR (na.gid = 29 AND na.realm = 'workflow_access') OR (na.gid = 9 AND na.realm = 'workflow_access_owner') OR (na.gid = 2 AND na.realm = 'term_access') OR (na.gid = 29 AND na.realm = 'term_access')) AND (ogan.group_nid in ('152') AND ta.rid in ('2','29') AND ta.grant_view = true) OR (na.realm = 'content_access_rid' AND ((na.gid in ('2','29')) OR (ogr.uid = 9 AND na.gid = ogr.rid)) AND na.grant_view = 1) OR (na.realm = 'content_access_author' AND na.gid = 9 AND na.grant_view = 1) OR (ogm.nid > 0 and (na.nid in ('152')) or ogm.directory = 1 ) OR (na.realm = 'og_public' AND na.gid = 0) OR (ogr.uid = 9 AND ta.rid = ogr.rid AND ogan.group_nid = ogr.gid AND ta.grant_list = true) OR (nof.child_nid = na.nid AND na.realm = 'term_access' AND un.uid = 9 AND na.grant_view = 1) OR (nof.child_nid = na.nid AND na.realm = 'term_access' AND ta.rid in ('2','29') AND ta.grant_view = true) OR (na.realm = 'acl' AND aclu.uid = 9 AND na.grant_view = 1) OR (ogan.group_nid is null AND na.realm = 'term_access' AND ta.rid in ('2','29') AND ta.grant_view = true) ) AND ( n.type = 'blog' AND n.uid = 9 AND n.status = 1 ) ORDER BY n.sticky DESC, n.created DESC LIMIT 0, 15 in /www/docs/d5test/includes/database.mysql.inc on line 172.
agentrickard’s picture

Status: Postponed (maintainer needs more info) » Active

Good lord that's an ugly query.

This section of the query is generated (correctly) by the multiple_node_access patch:

	(na.grant_view >= 1 AND 
  	(
  	  (na.realm = 'all' AND na.gid = 0) OR 
    	  (na.realm = 'content_access_author' AND na.gid = 9) OR 
      	  (na.realm = 'content_access_rid' AND na.gid = 29) OR 
    	  (na.realm = 'og_public' AND na.gid = 0) OR 
    	  (na.realm = 'og_subscriber' AND na.gid = 152) OR 
    	  (na.realm = 'workflow_access' AND na.gid = 29) OR 
    	  (na.realm = 'workflow_access_owner' AND na.gid = 9) OR 
    	  (na.realm = 'term_access' AND na.gid = 29)
 	) 
	AND na.nid IN 
  	(SELECT na.nid FROM node_access na 
          WHERE 
	     (	
	       (na.realm = 'domain_site' AND na.gid = 0) OR 
               (na.realm = 'domain_id' AND na.gid = 0)
             )
           )
        ) 

This part of the code is an error introduced by Panels or Views because of API changes introduced by the multiple_node_access patch.

(na.gid = domain AND na.realm = 'domain_site') OR

That is a DA bug. It begs the question, though, which module is writing that query and why is it appending node_access logic onto a query that already has node_access logic?

If you are ok with the default OR permissions in node access, then you don't need the multiple_node_access patch and this error should disappear.

In general, I think you need to rethink your site architecture. No use-case on earth would require all these node access modules. (I count 6 in this query alone, 7 if you count ACL.)

For most people DA totally replaces TAC. And this query is such a monstrosity that you need to be writing custom pages rather than using a query builder.

From a strictly DA point-of-view, I'll have to see if the API changes introduced by the mutliple_node_access patch can be mitigated.

So the question remains: what generated that query?

ben soo’s picture

i've been sitting with a piece of paper drawing diagrams trying to figure out how i'll go about replacing TAC, what the ramifications will be. i'm afraid i can't do without OG User Roles, but TAC can probably go. i think your domain module is more important to how the site should work.

That blob of query certainly is ugly. The site threw up the same thing on a user blog page and i didn't understand that. It did it on nodes too.

The site uses memcache, dunno if that exacerbates it.

i had to stop messing with the site for now since our web designer logged in and started working on it. Well ok: there are really only the two of us building it at this time.

Have a good weekend folks, and again let me express my thanks to you, agentrickard.

b

agentrickard’s picture

Status: Active » Postponed (maintainer needs more info)

The trick would be to install the devel module and enable query logging. This is invaluable when developing your site.

The query log will print at the bottom of the page and show which functions make which queries.

I need to know:

a) Where the above query is coming from.

b) On 'node' page, what are the following queries:

-- node_access_view_all_nodes
-- the pager_query that immediately follows it

Otherwise, from what I can see, the OG_user_roles module is not compatible with Domain Access. The main reason seems to be that DA uses the multiple_node_access patch to coordinate among node access modules. OGUR used the nodeapi 'access' $op approach, and includes some specific TAC integrations that are hardcoded into the module.

I believe that DA will work normally with these modules IF you simply do not install the multiple_node_access patch.

Will add to the documentation.

agentrickard’s picture

Status: Postponed (maintainer needs more info) » Closed (fixed)

Added to the documentation. If you figure out where the second half of that query is coming from, please open a new issue.

ben soo’s picture

Hi;

i certainly will do that if it pops up again. At this time i've stripped out all the third party modules that affect access permissions.

--That thing started happening again whereby anonymous users can edit everything, so i removed layer by layer all modules that affect access permissions. Started seeing one odd thing after another until i ended up removing all of them, including the workflow access module.

Will start building it back up once i spend more time with the paper, pencil and the diagrams, and report any anomalies here if they seem related to the domain module. It's highly unlikely i'll use the same mix of modules as before, so i can't say what will crop up next time.

b

somebodysysop’s picture

Just for clarification, OG User Roles uses hook_nodeapi($op='access') with TAC/OG Integration ONLY. With that turned off, OG User Roles requires no custom patches. Theoretically, OGR should have no problem working with DA with TAC/OG turned off. The only purpose of the TAC/OG Integration code is to make TAC and OG work together, and this is strictly optional (and not recommended) in the module settings.

If there is another way of doing TAC/OG integration, I'd LOVE to hear it.

agentrickard’s picture

Try the multiple node access patch. http://drupal.org/node/196922

netw3rker’s picture

this seems to have cropped up on one of my very recently built sites as well. Here is a much simpler query than the one posted above. As you can see i'm only using 2 auth modules (workflow access & domain access). I do have the multiple_node_access patch applied too. any thoughts on why "domain" is being put in w/o quotes?

SELECT COUNT(*) 
FROM node_access 
WHERE nid = 0 
AND (
  (gid = 0 AND realm = 'all') 
  OR (gid = 0 AND realm = 'domain_site') 
  OR (gid = domain AND realm = 'domain_site') 
  OR (gid = 2 AND realm = 'domain_id') 
  OR (gid = domain AND realm = 'domain_id') 
  OR (gid = 1 AND realm = 'workflow_access') 
  OR (gid = 0 AND realm = 'workflow_access_owner')
)
AND grant_view >= 1

TIA!

agentrickard’s picture

This issue is closed. Please start over.