Download & Extend
Apache Solr Search Integration » Issues

comments are added to search index without checking access

Posted by robertDouglass on September 17, 2009 at 9:31pm
Project:Apache Solr Search Integration
Version:7.x-1.x-dev
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (cannot reproduce)

Issue Summary

This new module treats each comment like a document and indexes them separately. It then treats "comment" as a content type, meaning you can facet on type:comment and just see comments.

Interestingly this module also solves the age old problem (seemingly unsolvable) of getting page=x right in the URL (node/3?page=5#comment-456) when the comments are not on the first page.

Committing attached patch.

AttachmentSizeStatusTest resultOperations
commentsearch.patch11.93 KBIgnored: Check issue status.NoneNone
Login or register to post comments

Comments

#1

Posted by robertDouglass on September 17, 2009 at 9:55pm
Status:needs review» needs work

The "deep linking" permalinks for comments don't always work. Maybe it's something wrong the the devel generated comments I'm testing with. Have to try with a real data set later. They work most of the time, though, which is better than D5 or D6 were able to do, afaik.

#2

Posted by robertDouglass on October 2, 2009 at 9:05pm

Some bugfixes.

AttachmentSizeStatusTest resultOperations
commentsearch_bugfix.patch1.51 KBIgnored: Check issue status.NoneNone

#3

Posted by robertDouglass on October 3, 2009 at 4:06pm

Comment access isn't respected by the current code. Something like this needs to happen, but this doesn't work. A refactoring of the query object is needed :(

AttachmentSizeStatusTest resultOperations
comment_search_access.patch2.02 KBIgnored: Check issue status.NoneNone

#4

Posted by robertDouglass on November 12, 2009 at 4:01pm

Better handling of status and reindexing when comment is changed.

AttachmentSizeStatusTest resultOperations
commentsearch.patch2.14 KBIgnored: Check issue status.NoneNone

#5

Posted by robertDouglass on November 20, 2009 at 6:15pm

#4 has been committed to 6.2. #3 hasn't been.

#6

Posted by robertDouglass on December 10, 2009 at 9:42am
Status:needs work» fixed

#7

Posted by System Message on December 24, 2009 at 9:50am
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

#8

Posted by jpmckinney on May 12, 2010 at 12:55pm
Title:New contrib module: comment search» comments are added to search index without checking access
Status:closed (fixed)» active

#3 has not been committed, but we need something like the commented-out section to respect access permissions. Follow #680992: comments are added to search index without checking access in core.

#9

Posted by pwolanin on May 12, 2010 at 2:12pm

I confirmed with the rest of the Drupal Security Team that given the existing public disclosures around this access-bypass bug, we should fix in public.

Likely we will want to try to use the same approach that's picked for the Drupal 6 backport in #680992: comments are added to search index without checking access

#10

Posted by jpmckinney on March 20, 2011 at 2:47am
Version:6.x-2.x-dev» 7.x-1.x-dev
Category:feature request» bug report

#11

Posted by Nick_vh on January 9, 2012 at 10:29am
Status:active» closed (cannot reproduce)

Since we don't have a commentsearch contrib module in D7 and we are using the comments from the node itself using the core update_index hooks I am quite certain this bug does not exists in the D7 branch.

If a separate indexer would be made for the comments (in contrib) this might be interesting as a reference. Closing it for now

nobody click here