Module Grants implements replacement for node_access() function but that function is used only for single node view. Node access in listings is processed with db_rewrite_sql() function. Since Module Grants doesn't work with that function, node listings access remains default. That means node listings may show nodes which will be denied access when accessed directly.
More information: comment of node_access() function and http://www.advomatic.com/blogs/marco-carbone/using-multiple-node-access-...

Comments

crea’s picture

Version: 6.x-2.x-dev » 6.x-2.6
mcarbone’s picture

I've added an issue for Drupal 7 to make sure this isn't a problem there as well with the new alter functions: http://drupal.org/node/603540

As for D6, the solution is to add a hook_db_rewrite_sql like that commenter mentioned in my blog post. I may have time to look at this down the road but can't in the immediate future.

guillaumeduveau’s picture

It's not critical but it makes the module quite useless ATM if you want to build a TAC + Workflow restricted areas site

mcarbone’s picture

Status: Active » Needs review
StatusFileSize
new2.63 KB

Here's a patch that implements a hook_db_rewrite_sql for module_grants. The tricky part was getting it to work for the lenient configuration, which I was able to do with a subquery. If someone can come up with leaner SQL to accomplish, please provide.

mcarbone’s picture

Status: Needs review » Needs work

Ack, this is not working on further testing.

mcarbone’s picture

Status: Needs work » Needs review
StatusFileSize
new2.71 KB

OK, I fixed the bug. module_grants_db_rewrite_sql now adds two subqueries per node access module if lenient, one per node access module if strict. Again, suggestions for leaner SQL are welcome. (I'm beginning to see why Drupal went with the whole OR grant thing.)

rdeboer’s picture

Assigned: Unassigned » rdeboer
Status: Needs review » Fixed

Thanks for the patch mcarbone! This is has been checked into the repository and is available for testing in development snapshots dated 10 Nov 09 or later.
Rik

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

henkiejan’s picture

Status: Closed (fixed) » Active

Hello,

There's a missing db-prefix for the node_access-table in the patch in this line:

$grants[] = "(" . $lenient_subquery . "(SELECT COUNT(1) FROM node_access nasq WHERE na.nid = nasq.nid AND ($module_grants)) > 0)";

That gave me quite some sql-errors in menu.inc and view.inc.

Erik Greve

rdeboer’s picture

Thanks for reporting this typo Erik!
Will have this corrected in the upcoming 6.x-3.0 version due later this week.

rdeboer’s picture

Status: Active » Fixed

Fixed in 6.x-3.x (16 Dec).

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

smartinm’s picture

Status: Closed (fixed) » Needs review

I think _module_grants_node_access_where_sql should also check the universal "all" grant as _node_access_where_sql:

--- module_grants-6.x-3.4/module_grants.module	2010-01-13 01:35:36.000000000 +0100
+++ module_grants/module_grants.module	2010-02-16 10:42:44.993068400 +0100
@@ -629,7 +629,8 @@ function _module_grants_node_access_wher
     }
     $grants[] = '('. $lenient_subquery ."(SELECT COUNT(1) FROM {node_access} nasq WHERE $node_access_alias.nid=nasq.nid AND ($module_grants)) > 0)";
   }
-  $sql = count($grants) ? implode(' AND ', $grants) : '';
+  $base_sql = "((SELECT COUNT(1) FROM {node_access} nasq WHERE $node_access_alias.nid=nasq.nid AND gid=0 AND realm='all') > 0)";  
+  $sql = $base_sql . (count($grants) ?  ' OR '. implode(' AND ', $grants) : '');
   return $sql;
 }
rdeboer’s picture

Version: 6.x-2.6 » 6.x-3.4
Priority: Critical » Normal
Status: Needs review » Fixed

Thanks!
Checked into repository as shown in #13.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.