Closed (fixed)
Project:
Discuss This!
Version:
5.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Reporter:
Created:
30 Aug 2008 at 22:00 UTC
Updated:
14 Jul 2012 at 23:21 UTC
Jump to comment: Most recent file
On my test site I've found that whoever clicks on the "Discuss This!" is the author of the Forum Topic. On the Discuss This! settings page there is a setting that allows you to choose the default author of the forum topic. This user doesn't seem to be used.
Does this setting only get used if an anonymous user clicks the link?
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | discussthis.302050.patch | 1.53 KB | spiderman |
Comments
Comment #1
spidermanFirst off, thanks for pointing this out (and sorry it took me so long to notice!) This turns out to be a fundamental flaw in the logic of how this module creates new forum topics. Because it uses drupal_execute to essentially submit the same form the current user would if they went to node/add/forum, it is subject to the same access checks as it would going through the normal node-creation mechanism. As such, this drupal_execute will only work at all if the user in question has "create forum topics" permissions.
Beyond that, if the user doesn't have "administer nodes" permission, they are not able to change the author of the node they are auto-creating.
As I see it, there are two ways out of this:
1) work around the standard node system and adjust (subsequent to the drupal_execute call) the node table for the new forum topic directly. this would quickly accomplish the feature i set out to build, but is unsatisfying because it no longer respects the core permissions/access system.
2) scrap this feature altogether, or perhaps introduce a fifth permission which would allow author overrides only for forum topics auto-created by Discuss This. this is slightly more secure but constrains the admin's options for what the module can do.
My guess is the first way is probably fine, since there is already a permission controlling whether a given role can initiate these specific forum topics in the first place (ie. access control around the drupal_execute call), and the admin can choose to turn this feature off by leaving the default author setting blank (meaning use the current user).
I'll work on rolling a patch to this effect, but will refrain from committing it to my upcoming 1.0 release until i hear some feedback on this point: is there a third way forward, perhaps? concerns or issues with the first approach above?
Comment #2
spidermanHere's a patch that fixes this bug by adjusting the new forum topic after the drupal_execute runs. I noticed while testing that the forum taxonomy terms can get messed up if the initiating user doesn't have the right permissions, so these are adjusted as well.
Comment #3
spidermanCommitted for inclusion in 1.0 release: http://drupal.org/cvs?commit=146782
Comment #4
spidermanComment #5
neyoung commentedAwesome! I'm going to test this out along with http://drupal.org/node/302045 later this week. Thanks for the patches and the 1.0 release :)
Comment #6
Anonymous (not verified) commentedAutomatically closed -- issue fixed for two weeks with no activity.