Download & Extend
Activity » Issues

Check node_access permissions when displaying activity

Posted by reikiman on March 4, 2008 at 9:55pm
Project:Activity
Version:6.x-1.x-dev
Component:Code
Category:task
Priority:critical
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

I see that in http://drupal.org/node/213897 there had been an issue that unpublished posts show up in the activity. This report is similar but different. My site uses the Forum Access module (based on ACL) and we have a private forum where the moderators debate moderator activity. This cannot be shown to the rest of the users but the Activity list shows the titles of postings in the private forum. If someone clicks through the title they get an access denied message, but I think even revealing the titles is a no-no.

The activity table should only show things for which the current user has access rights to see.

Login or register to post comments

Comments

#1

Posted by reikiman on March 4, 2008 at 9:56pm

FWIW I'm on the latest Drupal 5.x release using Activity 5.x-3-beta

#2

Posted by jaydub on March 7, 2008 at 7:59am

Because of the way the activity data is stored (for let's say a node or comment), there is no direct access to the node nid that could be used in the query to fetch activity to check for node access.

You could fetch results and do the filtering for node access after retrieving results but as that is in a pager query, you will end up with possibly fewer results than the pager limit.

Any thoughts from the module developers?

#3

Posted by geodaniel on October 15, 2008 at 9:15am
Title:Inaccessible posts are listed in activity » Check node_access permissions when displaying activity
Version:5.x-3.0-beta» 6.x-1.x-dev
Category:bug report» task

Subscribing to this, as it's very important from the point of view of social networks where people should be able to have private groups and not have that information leaked outside of those groups and/or outside their social networks.

Access control for OG, TAC, Access module, etc. (all done through node_access, I believe) should really be taken into account. In addition it would be great to be able to limit things to just people in your social network, so others can't see the activity.

#4

Posted by jaydub on October 18, 2008 at 5:57am

cross referencing with this issue:

#254632: Move node access checks to load instead of display

#5

Posted by jaydub on October 31, 2008 at 8:50am

I think the approach in the patch here is going to get what we need: #254632: Move node access checks to load instead of display

#6

Posted by jaydub on October 31, 2008 at 9:28am

Added an access check to the display phase of the activity records. Please test out on a development snapshot (10/31 or later).

#7

Posted by jaydub on February 20, 2009 at 6:42am
Status:active» closed (fixed)

Closing in favor of the issue referenced in #5