Module doesn't follow access control properly
| Project: | Diaporama |
| Version: | 6.x-1.1 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | needs review |
Jump to:
This module will use deny permissions. When node_access asks the module if the user has permissions. The module will return False if the user doesn't have 'access diaporama' permissions. This is essentially saying deny. This does not allow for the use of other access control modules like TAC Light.
There is a simple fix. If diaporama_access was going to return false simple don't return any value.
Solution:
change diaporama_access to:
/**
* Implementation of hook_access().
*/
function diaporama_access($op, $node) {
global $user;
if ($op == 'create') {
// Only users with permission to do so may create this node type.
return user_access('create diaporama');
}
// Users who create a node may edit or delete it later, assuming they have the
// necessary permissions.
if ($op == 'update' || $op == 'delete') {
if (user_access('edit own diaporama') && ($user->uid == $node->uid)) {
return TRUE;
}
}
if ($op == 'view') {
if(user_access('access diaporama')) {
return TRUE;
}
}
}
#1
Thanks for fix. It will be integrated in the next release