Problem: Unauthorized Locking of Nodes that cannot be edited
thekevinday - April 3, 2009 - 15:30
| Project: | Checkout (Content locking) |
| Version: | 6.x-2.2 |
| Component: | User interface |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | needs review |
Description
Take a user without permissions to view or edit some content type.
Lets say that content type nid is 45.
The said user go to the url and trigger a lock on content they are not allowed to edit or even view: http://example/node/45/edit
I can login as a user who _is_ authorized to edit and if the above user did what was mentioned, the "this document was locked by.." does in fact show up!
Additional Potentially Relevant Modules Installed: ACL, Content Access.
#1
#2
Nice catch! I've just fixed on place: node_access() requires a node object, not a nid. Otherwise this looks good to me.
#3
Thanks for the correction, i rushed the patch out without much testing at all...
Something still went wrong during my testing, I looked at http://api.drupal.org/api/function/node_access/6
Apparently, it should not be 'edit' but instead be 'update'.
#4
Found a better solution using menu_get_item(): the hardwired node_access('update', ...) only checks for node edit permissions, which might be sufficient for node/%/edit, but not any other path that can be locked. For example, on node/%/outline we need to check for book.module's "administer outline" permission. This can be done by directly querying the menu system and letting it figure out the access permissions.
#5
Subscribing.
#6
I have had the #4 patch applied for a little while now without any related troubles popup.
#7
Has anyone tested if there are problems with
· Taxonomy Access Control
· Domain Access
· Domain Access pach: multiple_node_access patch (allows you to use AND logic instead of OR logic: ALL of the access' modules must allow you to view/edit the node, not only one)
I try to reproduce the scenary and test it.