Wrong usage of db_rewrite_sql

Looks like a bug indeed.

Problem is, ZG has no PK (for good reason: it's just an archive log that can actually contain fully duplicated rows; it would have to be a meaningless serial id), and I don't see on what field one could want to apply access control to, for the rewrite. And yet, any list in Drupal is usually expected to provide some way to hook an access control to its execution. Any suggestion ?

But ZG contains only the user input with no strict relation to site content (node, user, taxonomy, ...). We use word filter to prevent "bad words" from adding to ZG stats. And it's our 'access control'.
I think, unless ZG would contain any references to users, nodes or something else no access control should be used.

Well, someone might want to use access control to filter results based on search terms, so I fixed the db_rewrite_sql calls to apply to the ZG table. Can you try this patch ?

Hi,

I looked through your patch and didn't find implementation of hook hook_db_rewrite_sql. So function calls db_rewrite_sql($sq, 'zg', 'search') shouldn't affect queries.
But i can't imagine how result can be filtered based on search terms: search term is a word, not a phrase like in ZG. The result query should use "like" with using % which made it very heavy.

In other hand, this patch just gives opportunity for other developers to filter query results without changing your code. I'll try it tomorrow.

That's exactly the idea: prevent db_rewrite_sql from firing inadvertently, and yet allows someone to use it to filter results.