Move node access checks to load instead of display
rush86999 - May 4, 2008 - 20:51
| Project: | Activity |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | task |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
Description
Also I have not tried this but to mention does activity respect User Relationship Node access module? Otherwords when a user selects which relationship can view the node will activity also not record it if the other user's relationship is not selected to view the node?
#1
I have two patches for nodeactivity and commentactivity that call node_access('view', $nid) in hook_activityapi(). This isn't ideal, be great if activity table had a primary_id field. THEN that could be used.
Maybe that wouldn't make it simpler.. not sure. Something to consider. But this works!
#2
This needs to be a feature in the module.
I'm getting this error after patching the commentactivity contrib.
* warning: Invalid argument supplied for foreach() in /home/mysite/public_html/modules/node/node.module on line 561.* warning: implode() [function.implode]: Invalid arguments passed in /home/mysite/public_html/modules/node/node.module on line 565.
* user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 query: SELECT n.nid, n.vid, n.type, n.status, n.created, n.changed, n.comment, n.promote, n.sticky, r.timestamp AS revision_timestamp, r.title, r.body, r.teaser, r.log, r.format, u.uid, u.name, u.picture, u.data FROM node n INNER JOIN users u ON u.uid = n.uid INNER JOIN node_revisions r ON r.vid = n.vid WHERE in /home/mysite/public_html/includes/database.mysql.inc on line 172.
What could be causing this?
#3
The Node Activity Patch seems to be working for the most part. However, it does still output an empty
<li>see attached screenshot.#4
cross reference with this issue:
#230010: Check node_access permissions when displaying activity
#5
Subscribed
#6
subscribing
#7
subscribing
#8
Ok I think the approach the original poster took in their patch is sound. I am adding this now but it will need testing across the various activity contrib modules.
#9
Added an access check to the display phase of the activity records. Please test out on a development snapshot (10/31 or later).
#10
#11
I've changed the title to reflect the current state of this task. We need to change the model for node access to act on activity load and not on display. This will require activity records to be able to store content IDs so that access checks can be made at load time.
This is likely to be a 6.2 branch feature.
#12
I would say that this is very critical. Currently I can see all the topics of comments listed in activity from private groups for example.
I'm not familiar with views filters, but I managed to hide comments which the user didn't have access with "Node access"-filter in another view. Would it be possible to have this filter in Activity also, so that the view wouldn't list the activity if the user doesn't have access to the node? Then there should be some other way to hide them from activity/all-listing.