Popular Content block does not respect node-level permissions, so shows titles of nodes which the user can't access. This one-line patch for Drupal 4.6 adds the missing db_rewrite call.

CommentFileSizeAuthor
popular_content_access.patch1.02 KBmenesis

Comments

ankur’s picture

ankur commented

+1

The node_privacy_byrole module in contribs makes changes to the node_access table that get ignored by the title listings generated by statistics.module's popular content listings. This is because the queries used to generate the listings don't check permissions on a JOIN to the node_access table as they should. The problem came to my attention in the issues queue for node_privacy_byrole:
http://drupal.org/node/16243

The patch changes the query so that it calls db_rewrite_sql() which in turn calls node_db_rewrite_sql() which is the function that inserts the node_access check into the query.

-Ankur

Steven’s picture

Steven commented

Applied to 4.6 and HEAD.

menesis’s picture

menesis commented