permissions bug - nodeapi when $op = 'update'

Hi,

I wanted to point out what may be a permissions bug with the print, print_mail, and print_pdf. It occurs when users try to update nodes and only and do not have the 'administer print' nor 'node-specific print configuration' permissions.

For example, in print.module, hook nodeapi is executed and when $op = update, the function _print_node_conf_modify is called. (line 312)

<?php


  case 'update':
      _print_node_conf_modify($node->nid, $node->print_display, $node->print_display_comment, $node->print_display_urllist);

?>

I think there needs to be a statement in _print_node_conf_modify that checks permissions. What was happening was that the print_node_conf table was being populated with values by users who had permissions to edit nodes but did not have 'administer print' nor 'node-specific print configuration' permissions.

The added the if statement if ((user_access('administer print') || user_access('node-specific print configuration'))){ around the logic within the function and it fixed the problem for me, see below:

<?php

function _print_node_conf_modify($nid, $link, $comments, $url_list) {
  if ((user_access('administer print') || user_access('node-specific print configuration'))){
    if (($link == PRINT_TYPE_SHOW_LINK_DEFAULT) && ($comments == PRINT_TYPE_COMMENT_LINK_DEFAULT) &&
    ($url_list == PRINT_TYPE_URLLIST_DEFAULT)) {
      db_query("DELETE FROM {print_node_conf} WHERE nid = %d", $nid);
    }
    else {
      db_query("UPDATE {print_node_conf} SET link = %d, comments = %d, url_list = %d WHERE nid = %d", $link, $comments, $url_list, $nid);
      if (!db_affected_rows()) {
        db_query("INSERT INTO {print_node_conf} (nid, link, comments, url_list) VALUES (%d, %d, %d, %d)", $nid, $link, $comments, $url_list);
      }
    }
  }
}

?>

btw - this is an awesome module.

Best,
-Joe