By blogbold on

I want to check if a node can be viewed by anyone (anonymous user).
If a user is logged in, the result should be the same.

The problem seems to be:
If user logged in has view-permission, the test should return false if an anonymous user has no view-permission.

I tried:

// get the anonymous user (might be wrong or incomplete)
$any_user = user_load(array('name' => ''));
// check view access for anonymous user
$any_access = node_access('view', $node, $any_user);

If a user is logged in, this returns true (or >=1) if the logged in user has view permission, even if anonymous user has no view permission.

I use the module "node_access" to grant permissions. The configuration works as it should.
Version of Drupal 6 and module is the current/latest stable.

btw: the function node_access() returns not only TRUE/FALSE but also a number (maybe how many permissions are set that allow access).

Categories: Drupal 6.x

Comments

gpk’s picture

gpk commented 
$anon_has_access = node_access('view', $node, drupal_anonymous_user());

Looks as if http://api.drupal.org/api/function/node_access/6 can indeed return an integer greater than 1 (in which case treat it as TRUE).

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk

blogbold’s picture

blogbold commented

Thanks!
drupal_anonymous_user() obviously is the correct function to get the anonymous user.

Unfortunately, the problem is the same:
if a user is logged in, $anon_has_access is true even if anonymous user doesn't have (view) permission.
It should be false - I need a test that returns the view permission of the anonymous user, regardless of user logged in or not.

gpk’s picture

gpk commented

What does $node look like?

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk

blogbold’s picture

blogbold commented

copy&paste relevant lines:

$query = "SELECT * FROM {node}";
$queryResult = db_query($query);
while ($node = db_fetch_object($queryResult)) {
// ...
gpk’s picture

gpk commented

Hmm must have missed something simple. Looks like that should work. Maybe backup node.module and dive in, adding debug statements to http://api.drupal.org/api/function/node_access/6 (unless you have a PHP debugger). Need to find which return statement is being executed in http://api.drupal.org/api/function/node_access/6, and what $node and $user look like in that function. print_r and drupal_set_message() may come in handy.

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk

blogbold’s picture

blogbold commented

Attention to all readers: maybe I'm completely wrong, and my patch has bad sideeffects!

I think the function nodeaccess_node_grants() has a bug: it doesn't use the argument $account.

file: nodeaccess/nodeaccess.module (only the function)

nodeaccess module 6.x-1.2 original code:

function nodeaccess_node_grants($account, $op) {
  global $user;

  $roles = is_array($user->roles) ? array_keys($user->roles) : array(-1);
  return array('nodeaccess_rid' => $roles, 'nodeaccess_uid' => array($user->uid), 'nodeaccess_author' => array($user->uid));
}

modified so argument $account is used (with fallback to $user, as seen in node.module):

function nodeaccess_node_grants($account, $op) {
  global $user;

  if (empty($account)) {
    $account = $user;
  }

  $roles = is_array($account->roles) ? array_keys($account->roles) : array(-1);
  return array('nodeaccess_rid' => $roles, 'nodeaccess_uid' => array($account->uid), 'nodeaccess_author' => array($account->uid));
}

Note the use of $account in the last lines ($roles = ... and return array...) of code!
With this modification, my module gets the correct view access permission for the anonymous user, regardless of user logged in or not.

blogbold’s picture

blogbold commented

http://drupal.org/node/323977

gpk’s picture

gpk commented

Yes that would explain what's going on!

gpk
----
www.alexoria.co.uk

gpk
----
www.alexoria.co.uk