Every anonymous user has author role access
John Money - April 18, 2009 - 21:47
| Project: | Workflow |
| Version: | 6.x-1.1 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs work |
Description
Not sure if this is technically a bug, but any anonymous user can view/edit/delete nodes created by other anonymous authors when workflow access is set to author role.
I think the author role should only apply to nodes created by authenticated users, otherwise the author role access permission becomes relatively meaningless for node types that can be created by both authenticated and anonymous users.
Attached is patch which will return the workflow_access_owner grant id as $node->uid only for authenticated users, otherwise it returns 1 (e.g. superuser). Previously, it could also return 0 which, as I said, is every anonymous user.
| Attachment | Size |
|---|---|
| workflow_access-anon-author.patch | 620 bytes |
#1
Very much a security flaw imo; drupal general treats uid 0 isn't a real user so shouldn't be treated as a user, right?
ie from node_access
<?phpif ($op == 'view' && $account->uid == $node->uid && $account->uid != 0) {
return TRUE;
}
?>
ie most users would not think this the behaviour, I'd think XD
Anyhow I added the additional check
<?phpfunction workflow_access_node_grants($account, $op) {
$access['workflow_access'] = array_keys($account->roles);
if ($account->uid) $access['workflow_access_owner'] =array($account->uid);
return $access;
}
?>
as a double gotcha so uid 0 doesn't get workflow_access_owner permission.
#2
It's not bug: it was decision of module author to make it work like that. And you can't change default module behavior only because you don't like it, in this case. Some people may want to treat all anonymous users equally and allow edit between all anonymous content. So if you want to change default behavior in the module, you need to implement it as module setting which can be switched to what user likes.
#3
Hm, I see ya point,
There may be a bug then in workflow_field_choices in that anonymous users are not given the author role
<?phpif (($user->uid == $node->uid && $node->uid > 0) || (arg(0) == 'node' && arg(1) == 'add')) {
$roles += array('author' => 'author');
}
?>
Anyhow here's my new suggestion for a patch. It introduces one variable, worklfow_user0_is_author and one alter hook 'workflow_authors'. Twas done that way to other modules could alter who is considered an author as far as work flow is considered; useful for those using user reference to have several authors? Missing one $node->uid in workflow_access ie. in workflow_access_form_submit; not sure what that form is doing.
#4
Can anyone give me a realistic use case where anonymous user permissions > authenticated user permissions?
As the module now stands, an anonymous user could view a node created by another anonymous user whereas an authenticated user could not... that makes sense how? where? when?
Further, said authenticated used could just logout and then view the node. It's pretty clearly a flaw in logic... unless I'm missing something (likely).