Posted by iStryker on July 15, 2009 at 5:03am
| Project: | Question |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | tanoshimi |
| Status: | closed (fixed) |
| Issue tags: | Question-6.x release blocker |
Issue Summary
If you give a role the permission to 'ask a question', then they can type in www.yoursite.com/node/add/question and they can create a new question on your site without approval. I don't know if this is the same in 5.x. I haven't tested it. I have just tested on the latest 6.x-1.x-dev
Comments
#1
It looks like question_access is checking the wrong permission. Currently, permission to create a question node is granted to users with "ask questions" permission, but the question node is really the question and answer combined, which should therefore only be given to users with the "manage questions" permission.
Permission to create questions (i.e. to add a new row to the question_queue table) is controlled by the "ask questions" combined with the value of the question_require_registered variable in question_qform().
Attached patch should correct this.
#2
changing status
#3
This patch passes the tests created in http://drupal.org/node/758638, so I'm going to mark it as Ready To Be Committed.
As soon as my cvs access is sorted out, I'll commit both the patch and the test!
#4
Committed to 6.x-1.x-dev branch.
#5
Automatically closed -- issue fixed for 2 weeks with no activity.