If the input format is set to php in the header of a view, only the admin user can view it. All other users get n/a. Did I forgot to set a permission anywhere?

Tanks!

Comments

merlinofchaos’s picture

Category: support » bug

It's possible I'm calling check_markup wrong; that sounds like it's probably a bug on my side.

steve.colson’s picture

Line 1021 in includes/plugins.inc seems to be the culprit, and this impacts all filter types that a user doesn't have access to (full html for most site's annon users) as would be expected by this bug.

Now, if this is changed from: return check_markup($value, $this->get_option($area . '_format'));
to: return $value;
does this introduce any significant security issues, or does it only potentially impact the ajax rendering in the views admin page?

merlinofchaos’s picture

Status: Active » Fixed

The check_markup there is essential. However, there is a 3rd parameter missing that tells Drupal NOT to check the 'current user' permissions (which irritates the crap out of me. I'm not sure that there is anywhere in the entire system that the 3rd parameter is actually used, because how can the current user possibly be the only one viewing content? Anyhow.) This is now fixed in -dev.

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.