| Project: | Related links |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | needs review |
Issue Summary
This is a serious problem. Without a serious redesign not sure how this will be possible. There is no call to db_rewrite_sql() when discovering links. But! even a fix there wouldn't solve the problem. The problem *really* shows up when a very privileged user causes a bunch of nodes to be discovered for the node he is viewing. This nodes will be displayed in the block regardless if the next user is an anon user or a privileged user. (imagine a related node by taxonomy but is unpublished for instance)
I believe the solution lies in discovering links during cron run NOT on block loading. Cron run ensures that only nodes that are viewable by anon users will be added to the block.
The other way to do it is on block content generation put the nodes through db_rewrite_sql(). Unfortunately, because the module loads related links on node load, node caching mechanisms get in the way. Thus, a privileged user (this doesn't mean a user role btw, think OG) views a node, and discovered links are added for that user AND node cache is set.
A non privileged user, with the same Drupal role, views the node but isn't member of the same groups, he gets the cache version and hence bad related links.
So! Given the current design of the module, not sure how I would patch it to make it respect node_access. It would require a rewrite of a lot of things in there.
Comments
#1
I too have been annoyed that links are listed that the user does not have access to. I just wrote a little mod that is based on the remove_nonviewable_menu_items module.
The mod does the following:
1. ignores img and mailto links since I really don't want them listed
2. modify _relatedlinks_filter() to not return links to nodes that the user can't view
I'm sure it can probably be improved but at least its working and is a starting point.
It would be nice if the relatedlinks table contained the node id of the node linking to and if we had an efficient way to determine if we can access a node by the node id rather than having to load the node
#2
#3
I haven't tested this patch, as I am no longer using this module for finding related links. We actually have the feature turned off till we figure out what we want to do. I would mention that you should avoid preg_match and use strpos() when possible (like for determining if its a mailto or img link) it is immensely faster. doing node_access view like that all the time is pretty db heavy. would be better if there was a way to db_rewrite_sql()
#4
I tested the patch manually to version 6.x-1.x-dev and it didn't work for me. The blocks wouldn't show at all.
I'll try to write a patch using strpos() and db_rewrite_sql() as Scott Reynolds mentions.
#5
My first patch... please let me know if I'm doing something wrong. I've applied it to the latest version 6.x-1.x-dev.
I've replaced preg_match with strpos(), wasn't able to figure out db_rewrite_sql() to check access permissions, but at least the module is working for me now and checking access permissions. I also added a bit to allow external links to bypass the node access check.
Hope this helps someone else!