Download & Extend

comments are added to search index without checking access

Project:Apache Solr Search Integration
Version:7.x-1.x-dev
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (cannot reproduce)

Issue Summary

This new module treats each comment like a document and indexes them separately. It then treats "comment" as a content type, meaning you can facet on type:comment and just see comments.

Interestingly this module also solves the age old problem (seemingly unsolvable) of getting page=x right in the URL (node/3?page=5#comment-456) when the comments are not on the first page.

Committing attached patch.

AttachmentSizeStatusTest resultOperations
commentsearch.patch11.93 KBIgnored: Check issue status.NoneNone

Comments

#1

Status:needs review» needs work

The "deep linking" permalinks for comments don't always work. Maybe it's something wrong the the devel generated comments I'm testing with. Have to try with a real data set later. They work most of the time, though, which is better than D5 or D6 were able to do, afaik.

#2

Some bugfixes.

AttachmentSizeStatusTest resultOperations
commentsearch_bugfix.patch1.51 KBIgnored: Check issue status.NoneNone

#3

Comment access isn't respected by the current code. Something like this needs to happen, but this doesn't work. A refactoring of the query object is needed :(

AttachmentSizeStatusTest resultOperations
comment_search_access.patch2.02 KBIgnored: Check issue status.NoneNone

#4

Better handling of status and reindexing when comment is changed.

AttachmentSizeStatusTest resultOperations
commentsearch.patch2.14 KBIgnored: Check issue status.NoneNone

#5

#4 has been committed to 6.2. #3 hasn't been.

#6

Status:needs work» fixed

#7

Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

#8

Title:New contrib module: comment search» comments are added to search index without checking access
Status:closed (fixed)» active

#3 has not been committed, but we need something like the commented-out section to respect access permissions. Follow #680992: comments are added to search index without checking access in core.

#9

I confirmed with the rest of the Drupal Security Team that given the existing public disclosures around this access-bypass bug, we should fix in public.

Likely we will want to try to use the same approach that's picked for the Drupal 6 backport in #680992: comments are added to search index without checking access

#10

Version:6.x-2.x-dev» 7.x-1.x-dev
Category:feature request» bug report

#11

Status:active» closed (cannot reproduce)

Since we don't have a commentsearch contrib module in D7 and we are using the comments from the node itself using the core update_index hooks I am quite certain this bug does not exists in the D7 branch.

If a separate indexer would be made for the comments (in contrib) this might be interesting as a reference. Closing it for now

nobody click here