Closed (fixed)
Project:
Views (for Drupal 7)
Version:
6.x-2.0-alpha4
Component:
Miscellaneous
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
30 Mar 2008 at 11:42 UTC
Updated:
14 Apr 2008 at 17:41 UTC
If the input format is set to php in the header of a view, only the admin user can view it. All other users get n/a. Did I forgot to set a permission anywhere?
Tanks!
Comments
Comment #1
merlinofchaos commentedIt's possible I'm calling check_markup wrong; that sounds like it's probably a bug on my side.
Comment #2
steve.colson commentedLine 1021 in includes/plugins.inc seems to be the culprit, and this impacts all filter types that a user doesn't have access to (full html for most site's annon users) as would be expected by this bug.
Now, if this is changed from: return check_markup($value, $this->get_option($area . '_format'));
to: return $value;
does this introduce any significant security issues, or does it only potentially impact the ajax rendering in the views admin page?
Comment #3
merlinofchaos commentedThe check_markup there is essential. However, there is a 3rd parameter missing that tells Drupal NOT to check the 'current user' permissions (which irritates the crap out of me. I'm not sure that there is anywhere in the entire system that the 3rd parameter is actually used, because how can the current user possibly be the only one viewing content? Anyhow.) This is now fixed in -dev.
Comment #4
Anonymous (not verified) commentedAutomatically closed -- issue fixed for two weeks with no activity.