Posted by tolmi on October 14, 2008 at 9:51am
Jump to:
| Project: | Protected node |
| Version: | 6.x-1.5 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | AlexisWilke |
| Status: | closed (fixed) |
Issue Summary
If user protects a node and hits preview then leaves the page the module won't clean up completely after itself, because the entered_password session variable isn't cleared in this scenario.
Comments
#1
Wow, this is a pretty terrible problem. It could also happen in the situation where a piece of content is previewed or saved (or even when the "Delete" button is clicked) and then you later go and modify a *completely* different node through admin/content/node or Views Bulk Operations. You very well could accidentally changes passwords on a ton of nodes all at once.
The use of $_SESSION is completely unnecessary and should be removed entirely.
#2
It seems to work without the $_SESSION['_protected_node']['entered_password']
#3
Making a note here, mainly. I'm not too sure I understand what you mean by "poisoned," but I'll look into how to remove all those $_SESSION. I think that the only one "necessary" is the one that representing a cookie so we know that a user entered the password. All the others are probably not necessary.
Thank you.
Alexis
#4
Alright, all $_SESSION's are gone except the one to mark that a password was entered (since we need to attach that to each specific user.)
Let me know if you like this version better.
Thank you.
Alexis Wilke
#5
Automatically closed -- issue fixed for 2 weeks with no activity.