I found a bug in the Apache Solr Search Integration (beta8): it's a somewhat odd configuration, but:

Assume a user role X (most likely anonymous) has the 'search content' permission but NOT 'access content' permission.

If a node access module is enabled, core's search module will build up a SQL which will end up respecting this permission indirectly.

In contrast, if apacehsolr_nodeaccess is enabled the bug is such that it will allow the user to search all content instead of the intended behavior of returning an empty search result.

Note that the core search module will also allow a user of role X to search all content if there is no node access module enabled, so there
is some overlap of this bug with core's behavior (which one might also consider a bug or by design).

Since searches don't currently work from 403 pages in Drupal 6.10 (though I think a fix is in the works), one has to test this bug by directly visiting search paths.

This bug came about due to a mistake in this patch. Essentially I waffled between code w and w/out using an exception, and ended up with a broken check: #343252: make node access code multi-site aware

Important note I cleared with the Drupal security team that this issue could be posted publicly. Team members considered this suitable for a public fix since the permission configuration described would only be in place by mistake and has no valid use.

CommentFileSizeAuthor
#1 as-nodeaccess-fix.patch1.15 KBpwolanin

Comments

pwolanin’s picture

Status: Active » Needs review
StatusFileSize
new1.15 KB
pwolanin’s picture

Status: Needs review » Fixed

committed to 6.x

pwolanin’s picture

Status: Fixed » Closed (fixed)