In slot_machine.utils.inc, in slot_machine_display_content there are queries which return nodes without checking for any sort of access control (usually db_rewrite_sql for listings, but since most of these are single nodes, even a basic node_access would work here potentially, and then return nothing for that topic, while an sql access_check might return a different node for the slot.. which behavior is correct depends on your use case, I think. If featured in the slot is Node A, but it isn't going to be visible to the user, do you want no Node, or Node B which is visible to them?)
I haven't yet audited closely for other places in the code, but a quick grep didn't find any db_rewrite_sql or node_access calls at all.
I have a project that will need access control to work and not show slot content to unauthorized users, will you take a patch that adds this?
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | slot_machine.patch | 6.1 KB | ebeyrent |
Comments
Comment #1
ebeyrent commentedHere's a rough patch. It's gone through almost zero testing, and really needs a bunch of people to take a look at it.
Comment #2
mcarbone commentedThanks. I'll take a look at this soon.
Comment #3
mcarbone commentedOK, I incorporated your changes (there were a few aliases that were slightly off that needed fixing) and added a few more. While I was at it, I cleaned up some more queries, removing SELECT *'s and changing JOINs to INNER JOINs. I tested all of the major functionality and things seem to be working fine. It should appear in the dev releases soon.
I'll leave it in the dev release for a little while before putting out another beta release. In the meantime, if you use views with the current beta release, you will get the node access checks you need.
Here's the Drupal 6 version commit:
http://drupal.org/cvs?commit=235510
Comment #4
ebeyrent commentedAwesome - I'll start testing immediately. Thanks for doing this so quickly!
Comment #5
sethcohn commentedReviewed this, and it looks very good overall, thanks for the overall and speedy update to dev!
I see one small problem:
Removed from new dev (incorrectly?)
I suspect the removed code still needs tweaked, to be joined to the original node via node table, to help db_rewrite_sql do the right thing (Should you be able to see a comment node when you cannot see the node it's commenting about?)
Comment #6
mcarbone commentedThanks for catching that. The node_comment stuff is an artifact from the Fast Company version that I tried to remove entirely, but obviously failed in doing so. Node comments technically already work, but this did some handling of it so that it worked for their specific needs. So I removed all references to comment_nid and committed.
Comment #8
guysung commentedHi, I would say thanks so much for this great module first.
The minor issue I found is that _sm_helper_truncate() could get into infinite while loop.
I know the page execution time out due to the infinite while loop may be barely happened in real world because there should be a space in the body at least. But I've experienced this infinite loop with my dummy body text which doesn't have any space within first 100 characters.
Cheers.
Comment #9
guysung commentedI posted a new bug report in wrong place. sorry for the confusion.
Comment #10
mcarbone commented