User changes to Author for Node Preview
thomas23@drupal.org - July 21, 2008 - 13:24
| Project: | Live |
| Version: | 6.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
I'm not 100%, hence no security report, but I suspect live.module.
What happens: When I edit some node (article, page) as user of "webmaster role" (all rights but not user/1) and hit preview I see the preview allright. But when I actually safe the node suddenly I see less links/content. When I go to /user I'm directed to the node's author user. I have to log out and back in again as webmaster.
The node's author's group has rights to use live.module on nodes and edit own nodes.
Cheers.
#1
Experiencing this too.
#2
I to see this problem. Not tested but I suspect line 46-57 in live.node.inc. The variable $user is being set here and since there is a "global $user" at the start of the function the global user object is being messed with.
I believe $user should be replaced with $account instead, like this.
if ($account = user_load(array('name' => $node->name))) {$node->uid = $account->uid;
$node->picture = $account->picture;
}
else {
$node->uid = 0; // anonymous user
}
}
else if ($node->uid) {
$account = user_load(array('uid' => $node->uid));
$node->name = $account->name;
$node->picture = $account->picture;
#3
Hi everybody!
I confim this effect. I use the latest stable release (6.x-1.0) and I can repeat this "feature" in any direction. So it's no matter if I was UserA and change the autor to UserB or vice versa.
If I save the change without a preview with Live-Module (logged in as UserA) nothing special happen. The autor ist UserB and I'm furthermore logged in as UserA.
But if I take a preview with Live-Modul and then save the Article, I'm suddenly logged in as UserB.
Sven
PS: Excuse me, but I'm not a native english speaker ;-)
#4
http://drupal.org/node/534976
#5
If you are not 100% sure, please report it as a security issue, we can always go to the public queue, but never vv.
#6
Automatically closed -- issue fixed for 2 weeks with no activity.