I have installed both this module & the nodeaccess module for Drupal 6. The FAQs do not honor the nodeaccess permissions. Specifically, I have two roles setup (partner & customer). I have three test FAQs: #1 is granted to Customer only; #2 is granted to Partner only; #3 is not Published yet.

When viewing FAQs through the normal FAQ UI, I only see the correct nodes. However, if I simply type in the URL for an FAQ (I'm using pathauto), I can see it. This includes the unPublished one.

I have all permissions REMOVED from Authenticated User & Anonymous user. (Only Customer & Partner have anything checked). Interestingly, if I log out, then I cannot see any of the FAQs if I try the URL (Access Denied).

So, it seems that the FAQ module may not correctly handle permissions correctly when accessing nodes directly by URL.

CommentFileSizeAuthor
#14 faq_5x_309375.patch3.36 KBstella
#14 faq_6x_309375.patch3.33 KBstella
#12 faq_5x_309375.patch3.9 KBstella
#12 faq_6x_309375.patch3.87 KBstella
#2 faq_access.patch558 bytesalexanderpas

Comments

mrmelson’s picture

mrmelson commented

NOTE: Deleting faq_access from faq.module seems to have resolved this problem. By doing this, it allows nodeaccess to control who can see each faq. This allows FAQs to be targeted to roles & even individual users. It also resolves the bug of users being able to see unpublished faqs.

alexanderpas’s picture

alexanderpas commented
Title: Does Not Work With nodeaccess module » Allow FAQ to adhere to Access Modules.
Status: Active » Needs review
StatusFileSize
new faq_access.patch558 bytes
hutch’s picture

hutch commented

Perhaps this needs to be worked in using something like

if (module_exists('node_access')) {
.....

So that it can work both ways.
The facility to regulate who gets what without the node_access module should be retained IMHO.

alexanderpas’s picture

alexanderpas commented

no, that's not an option, as that breaks drupal's modular setup... also, what about the following modules, Taxonomy Access Control, Taxonomy Access Control Lite, Content Access or even future modules? do they also need a special case?

hutch’s picture

hutch commented

I was positing a solution to your particular problem and pointing out that it breaks the existing ability to control who sees what. The patch may work for you but I for one won't be using it for that reason. YMMV

stella’s picture

stella commented

mrmelson: the unpublished node issue has already been reported and fixed in #277349: Unpublished FAQ node visible to everyone.

I will investigate the nodeaccess problem shortly. I'm not particularly fond of either of the two solutions posted above, but will look into it further.

Cheers,
Stella

alexanderpas’s picture

alexanderpas commented

my solution, is based upon looking to how other modules handle their stuff ;)

mrmelson’s picture

mrmelson commented

Stella - Thanks for the pointer to the other bug. I applied the patch & it's working great now.

This is a great module - exactly what I needed.

(And, although I realize it's not a good fix for the module ... I'm actually very happy with the "hack" of deleting faq_access. nodeaccess+faq is proving to be a very powerful combination :)

Perhaps a solution might be a configuration checkbox that says "Skip FAQ Access Checking" with a note that says it is to be checked whenever access control is controlled by another module.

alexanderpas’s picture

alexanderpas commented

Perhaps a solution might be a configuration checkbox that says "Skip FAQ Access Checking" with a note that says it is to be checked whenever access control is controlled by another module.

in my opinion, that i not an option, as that will lead to usability problems, and is exactly the opposite as what is "encouraged" by drupal.

Removing the view clause, will make the faq content-type behave exactly the same as all other content types, which sould be expected.

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented

Actually, you probably just need to change the op=view code:

  else if ($op == 'view' && user_access('view faq')) {
    return TRUE;
  }

There are not many cases, other than op=create, where hook_access should be returning FALSE. I'm pretty sure you have all the appropriate db_rewrite_sql's.

alexanderpas’s picture

alexanderpas commented

Nancy, that doesn't work when you need access control based of for example the category (taxanomy) the faq is in.

remember, we shoudn't decide who's allowed to view the faq, the access modules should. (that's why they're there in the first place)

stella’s picture

stella commented
StatusFileSize
new faq_6x_309375.patch3.87 KB
new faq_5x_309375.patch3.9 KB

Attached is a patch which should resolve the issue. The 'view faq' permission is now gone and has been replaced with 'view faq page' which controls which users have access to view the generated faq pages, and that's all. If site admins wish to control which users have access to faq nodes, or individual faqs, then one of the access modules should be used, e.g. nodeaccess, tac_lite, etc.

Cheers,
Stella

alexanderpas’s picture

alexanderpas commented
Status: Needs review » Needs work

contains duplicate code, for example:

node_access() already specifies:

  // Let authors view their own nodes.
  if ($op == 'view' && $user->uid == $node->uid && $user->uid != 0) {
    return TRUE;
  }

also disallowing access on unpublished status is already covered for in node_access(), by the final return FALSE, this might also give problems with content moderation modules.

stella’s picture

stella commented
Status: Needs work » Needs review
StatusFileSize
new faq_6x_309375.patch3.33 KB
new faq_5x_309375.patch3.36 KB
alexanderpas’s picture

alexanderpas commented

patches are looking visually okay, however, i would like to see another review ;)

stella’s picture

stella commented
Status: Needs review » Fixed

Committed.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

stella’s picture

stella commented

Released in 5.x-2.12 and 6.x-1.8.