I may have something misconfigured here, or may not be following best practices. However, after creating a new node in the unpublished (status = 0) state, and assigning it to a category, the taxonomy_dhtml page appears to reference it. On the /taxonomy_dhtml super-index page, one can find the title of the article and a link to it. Attempting to follow the link doesn't reveal any content because of a later permission check. However, the title of the node is being disclosed, and that seems like a minor security problem.

There appears to be a function, taxonomy_dhtml_inject_nodes(), that loads node records from the database with a SQL query:

$result = db_query_range(db_rewrite_sql("SELECT n.nid, n.title, n.type, u.uid, u.name FROM {term_node} r LEFT JOIN {node} n ON r.nid = n.nid LEFT JOIN {users} u ON n.uid = u.uid WHERE $type_q AND r.tid = '$term->tid' ORDER BY n.changed DESC"), 0,

That function appears to accept and return data for every node identified by that query. Perhaps it should use node_access('view')?

Thank you...

Comments

moshe weitzman’s picture

moshe weitzman commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)