Problem: Smartqueue_taxonomy could accidentally update or delete the wrong subqueues when terms are updated or deleted. This might happen because the current SQL just searches for subqueues with a reference that equals the term ID. However, regular nodequeue subqueues store the queue id as the subqueue reference (and other smartqueue modules could store any arbitrary data as the reference). I marked this bug as critical due to the potential for data loss.

Solution: Make sure only smartqueue_taxonomy subqueues are deleted. Add WHERE owner = 'smartqueue_taxonomy' to queries.

CommentFileSizeAuthor
smartqueue-ownercheck.patch1.62 KBjoshuajabbour

Comments

ezra-g’s picture

ezra-g commented

This looks good to me. I will review in more detail as soon as possible. Thanks for catching this!

ezra-g’s picture

ezra-g commented
Status: Needs review » Fixed

Committed to Drupal 6 and 5 branches.

Thanks again!

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.