Put a line in your page.tpl.php like this:

<?php echo $node->path; ?>

Log in as an admin and give one of your pages a path name. When you view it, you should see the path echoed out where you placed the PHP code.

Now log out and visit the same page as an anonymous user. You will not see the path echoed out. $node->path is not even set at this point.

You can place this code in your page.tpl.php to prove it:

<?php print_r($node); ?>

Look for the "path" object. It won't be there unless you're logged in as administrator.

The only workaround I've found is to grant "administer url aliases" rights to anonymous and registered users (and any other relevant roles). I don't have to tell you how big of a security hole this is. Any anonymous user could surf to http://www.mysite.com/admin/build/path and wreak alias-related havoc.

As far as I can tell, there is no security issue populating the $node->path object without the user being a url alias administrator. Everything else in $node is populated, and Paths are used for anonymous users as well.

I found this because I am developing a theme that changes a graphical element of the page based on what page it is - and while I can simply evaluate $_GET['q'] and use the "node/xx" format, I felt that using $node->path would be much more intuitive.

Comments

michelle’s picture

Version: » 4.2.x-1.x-dev
Status: Active » Closed (duplicate)

Assuming you mean core and not this ancient contrib module, it's already been fixed here: http://drupal.org/node/216404

Michelle