Closed (fixed)
Project:
Services
Version:
6.x-0.9
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
29 Aug 2008 at 11:57 UTC
Updated:
12 Sep 2008 at 15:42 UTC
In spite of the independent 'load raw node data' permission in the node service module, you must still enable 'access content' for anonymous users if you want anonymous external sites to be able to load nodes. This is a problem if you want the site to be private, which I guess the 'load raw node data' permission was intended to overcome, but it doesn't appear to function correctly. The offending code is here:
function node_service_load_access($nid) {
$node = node_load($nid);
return node_access('view', $node) && user_access('load raw node data');
}
To my mind that should be an *or*, not an *and* ...
function node_service_load_access($nid) {
$node = node_load($nid);
return node_access('view', $node) || user_access('load raw node data');
}
E.g. if the requesting user has permission to view the node *or* has permission to load raw node data. This way I can set site access off but still allow service to work. I can't think of any use case for this to be && as it is now?
Comments
Comment #1
brmassa commentedGreg,
the permission "load raw node data" is important because the API returns all node data, including possible sensitive data. Its not the same as viewing the node, since the admin might control the information to be displayed.
in fact. i believe that "view" permission is irrelevant here. The only possible benefit from calling it is that if node_access() has any special custom validation. If so, its important to maintain it. If not, i might delete the node_access check altogether.
regards,
massa
Comment #2
greg.harveyI understand.
Hmmm, you make a good point about people perhaps wanting to set more granular access using other access modules like taxonomy_access, or even groups, e.g. with the node_access check in place you could be sure your service would not expose nodes in a private group from the OG module.
In that case, I propose is this is an option in admin. Just set a boolean variable, on or off, for this behaviour. It'll take me about 15 minutes to write if you think it's a good idea? I can use hook_form_alter to make it an additional security option when node_service.module is enabled on admin/build/services/settings ?
Comment #3
greg.harveyHow's this?
Comment #4
brmassa commentedGreg,
nice. i commited it on CVS. Its not the definitive solution, once it forbid admins to use both situations. Its probably better to create another service for more flexible checks, but i might do this later.
regards,
massa
Comment #5
greg.harveyCool, thanks. I can't use CVS here because the port is blocked. =(
I've applied to IT to have it opened, then I'll be able to commit myself.
Comment #6
Anonymous (not verified) commentedAutomatically closed -- issue fixed for two weeks with no activity.