Related: #287689: Implementation of hook_access in iPaper does not play well with workflow_access

The implementation of hook_access is faulty and returns TRUE or FALSE when it should return TRUE or NULL to allow other node access modules to grant permission to ipaper nodes.
See function node_access for how this works. This was problematic for us since we sell node access to iPaper content.

Patch also removes some redundant stuff from the hook_access which is already handled by node_access before it calls ipaper_access.

CommentFileSizeAuthor
#15 access_ctrl.png52.36 KBgraeme smith
access.patch1.3 KBjody lynn

Comments

Anonymous’s picture

Status: Needs review » Reviewed & tested by the community

i reviewed and tested this, works for me. its a very simple patch, RTBC.

rares’s picture

This makes sense, but I'm not sure I understand what happens when ipaper_access will return NULL. granted, other modules will be able to override, but are there any other permissions in the drupal core that will take precedence over the ipaper permissions if NULL is returned?

According to the hook_access documentation
Return value
TRUE if the operation may be performed; FALSE if the operation may not be returned; NULL to not override the settings in the node_access table.

So in this case, for instance, can we expect that by returning NULL for op=='view' a user with 'access content' will be able to view that particular ipaper?
I agree that the module should be able to work well with other access control module, but we need to be cautious about blocking access where necessary, or else we might have to release a security update.

jody lynn’s picture

Status: Reviewed & tested by the community » Needs review

Good point.

Basically node_access asks:
Can the user administer nodes? return TRUE
Can the user not access content? return FALSE
Did the ipaper module grant access? return TRUE
Did the ipaper module deny access? return FALSE
If ipaper returned NULL,
did any node access module grant access? return TRUE
(if no node access modules exist, this returns TRUE)
did the user author this node? return TRUE
Otherwise, return FALSE.

Therefore if ipaper returns TRUE or NULL and you don't have any other node access modules, the 'view ipaper' permission will be ignored and 'access content' will give view ipaper permission.
If instead ipaper returned NULL or FALSE (if you weren't given the perm), it could still prevent access without overriding other node access modules.

Setting it back to 'needs review' because I think we need to test this thoughtfully both with and without additional node access modules (we only tested with additional node access module).

rares’s picture

I looked at node_access and it does exactly what you said. I don't see any solution to this other than to add some kind of option to the administration page where people to choose whether to bypass permissions (return NULL in to ipaper_access). Or we could add some kind of if (module_existss('nodeaccess')) return NULL;
Does anyone know how other modules defining content types deal with this?

On the other hand, moving forward, this module will define a CCK field instead of a content type, so access will be managed differently. Does anyone know how to code for CCK so we can move forward with this quickly (it has been requested several times).

jody lynn’s picture

Makes sense, yeah ultimately having a separate view permission for a node module seems problematic.

I can help with the CCK field approach- it will probably require a new branch with a warning that the update will be drastic.

rares’s picture

ok, I will commit some small final changes to 1.x, release 1.0 and create 2.x sometime this week. When I create 2.x I will try to make it a little modular so that you can more easily adapt it to CCK, and then you can rewrite it however you think it's necessary. I can help too, especially if you create the CCK functions. We can continue this discussion under #319069: Adding this to CCK, where I will make an announcement as soon as I create the new branch.

I don't know what to do about the view permission. I think I will leave it like this for the 1.0 release, but I will apply the patch and have it return NULL for the other permissions.

BenK’s picture

Any word on when the patch will be committed and the 1.0 release created?

Thanks,
Ben

rares’s picture

I've just committed a version that has all the changes suggested by Jody Lynn in the patch, except for 'view ipapers', which continues to have

  case 'view':
    return user_access('view ipapers');

changing that to
return user_access('view ipapers)' ? TRUE : NULL;
would mean falling back to 'access content', which would no longer justify having a separate permission. I guess we could take out that permission, but probably most users have gotten used to it, and we are planning a new version (2.x) anyway so we might as well leave this the way it is. I agree nonetheless that view permission handling should normally be left to specialized party modules. I'll mark this as fixed but if there are enough people that want the future 1.x releases to deprecate this permission. In the meantime, I guess it's easy to change the code to suit your need if you have a problem with nodeaccess.

rares’s picture

Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

rares’s picture

Status: Closed (fixed) » Needs work

Reopening this because, as pointed out in #910164: Integration - Content Access and ACL, this is still an issue.
I ultimately agree that having a view permission for this module is problematic, but I'm concerned that if we remove this permission, people who have depended on it will have problems.
In the meantime, there is no way to have this work as designed without removing the permission entirely:

return user_access('view ipapers') ? TRUE : FALSE;
current implementation; does not play well with node access modules at all

return user_access('view ipapers') ? TRUE : NULL;
problem: Users with this permission will have access irrespective of what other overrides happen in other access modules.

return user_access('view ipapers') ? NULL: FALSE; or return user_access('view ipapers') ? NULL: NULL;
problem: access modules will work, however, anyone who has 'access content' will also be able to see ipapers; this defeats the purpose of having a separate permission for this type of content and is the same as not having the permission at all.

So, the only sustainable solution is to eliminate this completely. However, I will need to write a hook_update script for that, and I don't have time to do that at the moment.
So, in the meantime, the solution for anyone who wants to use this module together with content_access, node_access etc is to remove the following 2 lines from ipaper.module:

    case 'view':
      return user_access('view ipapers') ? TRUE : NULL;
graeme smith’s picture

Sorry for being ( probably) stupid rares, but do you mean this whole block?

case 'view':
if ($node->uid == $account->uid && $account->uid != 0)
return TRUE;
if ($node->status == 0)
return user_access('administer nodes');
return user_access('view ipapers');

I looked for

return user_access('view ipapers') ? TRUE : NULL;

in the ipaper.module file, but it isn't there.

File header is:

// $Id: ipaper.module,v 1.1.2.43 2009/10/09 14:44:06 rares Exp $
// $Name: DRUPAL-6--1-1 $
/*
* @file
* iPaper module hooks and functions
* Extends iPaper content type, calls funtions in scribd.php to implement Scribd API
*/

Peladon

rares’s picture

my mistake. 6.x-1.1 has the code that you mentioned. in that case, yes, remove that whole thing.
in 6.x-1.x-dev there is some different code, based on what Jody Lynn suggested. I guess you could try to see if that code works as you need it to; my guess is that it will not.

graeme smith’s picture

My thanks. I'll try that tonight...

Peladon

graeme smith’s picture

StatusFileSize
new52.36 KB

Ah, well. If I did it right:

Edited block out of ipaper.module

Rebuilt permissions

However... access is still blocked by the module.

No matter. This still seems the best way for me to display the types of files I need to... so I'll keep massing around with it in case I've banjaxed it somewhere and cross my fingers :-).

My thanks for the input and support!

Peladon

izmeez’s picture

subscribing, the approach taken in the support module may be helpful, http://drupal.org/node/768354