Posted by jean-bernard.addor on May 9, 2009 at 5:40am
| Project: | Atom |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed (duplicate) |
Issue Summary
Versions: drupal-6.11, Atom 6.x-1.1, and modr8 6.x-1.1
A node in the moderation queue (modr8) has been found in an atom feed.
This is a serious issue for a moderated web site!
Comments
#1
I don't use modr8, but a quick grep of the code appears to show that it doesn't use hook_node_grants(), which is how atom would know to not show the node.
#2
This module does not provide access control - it uses db_rewrite_sql to exclude moderated nodes from (most) listings.
#3
My point is :
Using moderation (modr8) the node in moderation do not appear in RSS feeds but in Atom feeds, it is unexpected and a serious issue from my point of view. I do not understand the technical points, but maybe this issue should come back to Atom. Then I installed the atom module, I thought it was a rewrite of the rss code adapted to another protocol. Now I have the impression they work pretty differently. I am asking me why atom feeds do not behave like drupal internal rss feeds?
#4
This would suggest the bug is in the Atom module - e.g. that it's not correctly calling db_rewrite_sql()
#5
This is a security issue. Reporting to security team...
#6
Yep db_rewrite_sql is only applied for taxonomy, not for anything else:
/**
* Produces an atom 1.0 feed for the front page content.
*/
function atom_feed() {
...
$nodes = db_query_range("SELECT n.nid FROM {node} n WHERE n.promote = '1' AND n.status = '1' ORDER BY n.created DESC", 0, variable_get('atom_feed_entries', 15));
...
}
function atom_blog_feed() {
...
$nodes = db_query_range("SELECT n.nid FROM {node} n WHERE n.type = 'blog' AND n.status = '1' ORDER BY n.created DESC", 0, variable_get('atom_feed_entries', 15));
...
}
function atom_node_feed($nid) {
...
$nodes = db_query_range("SELECT n.nid FROM {node} n WHERE n.nid = %d AND n.status = '1' ORDER BY n.created DESC", $nid, 0, 1);
...
}
function atom_user_blog_feed($uid) {
...
$nodes = db_query_range("SELECT n.nid FROM {node} n WHERE n.type = 'blog' AND n.uid = %d AND n.status = '1' ORDER BY n.created DESC", $uid, 0, variable_get('atom_feed_entries', 15));
...
}
#7
It is interesting to note that the results of the queries are run through node_load() and then checked through node_access('view', $node) so it's not like it didn't try. I'm wondering why this wouldn't catch nodes restricted with modr8 because sometimes I use the same logic with one of my modules.
<?phpfunction _atom_print_feed($nodes, $feed_info) {
$output = '';
$last_mod = 0;
while ($node = db_fetch_object($nodes)) {
$item = node_load(array('nid' => $node->nid));
if (!node_access('view', $item)) {
continue;
}
...
}
?>
#8
Republishing this issue because the module does run all the proper access checks. Although it should be using db_rewrite_sql() on all those queries.
#9
Note modr8 is not a node access module - it just hides nodes from listings using SQL rewrites.
The technique used by this module is adding the overhead of a lot of extra queries also - it should just let node access, etc, work via rewriting the queries like core does:
http://api.drupal.org/api/function/node_feed/6
#10
Patch attached for review.
#11
#12
Changing title to be more appropriate
#13
I know there's lots of discussion here, but it originated at #61791: Not Respecting Node Access, so I'd prefer to move there so all the other subscribers can follow the change.