File for node should not be listed if user does not have permission to view it
SomebodySysop - June 12, 2008 - 23:09
| Project: | Swish-E Indexer |
| Version: | 5.x-1.1 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
I noticed that there is no access control on indexed files that are listed in search results. If the user can not access the node for the file, it should not be listed.
Here is suggested code for swish_search('search') that I believe would address this:
<?php
$node = node_load($text_item->nid);
// Return this row only if user has access to view the node
if (node_access('view', $node)) {
$find[] = array('link' => $link0, 'title' => $title, 'snippet' => $snippet, 'extra' => $extra, 'node' => $node);
}
?>This is based on modified code that I have submitted here: http://drupal.org/node/269530 and here: http://drupal.org/node/269990
#1
SomebodySysop,
I tried it and it works. I really, really, really appreciate you for your snippet.
#2
To ensure the process, I suggest to add isset($node) into if-condition like this:
<?php$node = node_load($text_item->nid);
// Return this row only if user has access to view the node
if (isset($node) && node_access('view', $node)) {
$find[] = array('link' => $link0, 'title' => $title, 'snippet' => $snippet, 'extra' => $extra, 'node' => $node);
}
?>
#3
I am sorry that I found that this would be covered by http://drupal.org/node/269530#comment-887060.
So ignore #2.
#4
I realized that what I really needed was a different implementation of the swish.module. My need was not only to enforce file access on the node level, but on the file level as well. I've created a new module, and for this particular section, an additional hook_nodeapi option: 'file' (unsupported by Drupal core):
<?php
$node = array();
// Return this row only if user has access to view the node
$this_access = TRUE;
if (!empty($text_item->nid)) {
$node = node_load($text_item->nid);
// Check hook_nodeapi('file');
$results = node_invoke_nodeapi($node, 'file', NULL, $text_item->filepath);
foreach ($results as $access) {
// node_invoke_nodeapi shouldn't even put NULL in it's results, but
// we should check. if no one has anything bad to say about this
// file, then we're cool
if (!is_null($access)) {
$this_access = $access;
}
}
}
// Only return find if there is a node and user has access to it as well as passing
// node_invoke_api above.
if ($node->nid && node_access('view', $node) && $this_access === TRUE) {
$find[] = array('link' => $link0, 'title' => $title, 'snippet' => $snippet, 'extra' => $extra, 'node' => $node);
}
?>
And, I haven't even began working on enforcing organic groups access control. But, thanks anyway!
#5
Automatically closed -- issue fixed for two weeks with no activity.