Download & Extend
Nodequeue » Issues

nodequeue_queue_access should call subqueue_api_access first

Posted by TUc on March 15, 2009 at 4:10pm
Project:Nodequeue
Version:6.x-2.0
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

the ajax callback for adding a node to a node queue you can administer didn't work due to an error in the access function controling that functionality.
smartqueue_og_queue_access() has been corrected in this patch.

Together with my previous patch, I got smartqueue_og all working. You might consider releasing your 6.x-1 version.

cheers,
TUc

AttachmentSizeStatusTest resultOperations
smartqueue_access.patch1004 bytesIgnored: Check issue status.NoneNone
Login or register to post comments

Comments

#1

Posted by ezra-g on March 18, 2009 at 6:09pm
Title:callback doesn't work» Callbacks for adding/removing a node should be use nodequeue_node_and_subqueue_access
Project:Smartqueues for Organic Groups» Nodequeue
Version:6.x-1.x-dev» 6.x-2.0
Priority:critical» normal
Status:needs review» active

Thanks for your attention here. Actually, I think this is a bug in Nodequeue.module. While your fix does in fact work, I believe it's not the proper place to change the permission checking.

"Manipulate all og nodequeues" is supposed to be used to control access to not only to manipulating og subqueues, but also for administering the queue that contains all og queues. The callback for the path admin/content/nodequeue/%nodequeue/add/%subqueue/%node (and the equivalent path for removing a node) should really call a "nodequeue_node_and_subqueue_access" function rather than the current "nodequeue_node_and_queue_access" since the smartqueue api allows users permission to manipulate a specific subqueue (such as an og or per-user subqueue) without being able to administer the whole queue.This should be a relatively straightforward fix.

Please note that this is not an access bypass or any kind of security issue, since if anything, this access check is overly restrictive.

#2

Posted by ezra-g on April 2, 2009 at 5:38pm
Title:Callbacks for adding/removing a node should be use nodequeue_node_and_subqueue_access» nodequeue_queue_access should call subqueue_api_access first

Actually, we don't need a new access checking function since nodequeue_queue_access accepts an optional subqueue parameter. This patch changes it so that subqueue_api access control is called and the result returned before queue access, so more granular access control is possible :D. Hooray, smartqueue API!

This is basically commitable, but I'll leave in the queue for testing for a little while.

AttachmentSizeStatusTest resultOperations
402620.patch822 bytesIgnored: Check issue status.NoneNone

#3

Posted by ezra-g on April 2, 2009 at 5:38pm
Status:active» needs review

#4

Posted by ezra-g on April 6, 2009 at 10:40pm
Status:needs review» fixed

This is applied.

#5

Posted by System Message on April 20, 2009 at 10:50pm
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

nobody click here