Closed (fixed)
Project:
Apache Solr Search
Version:
5.x-2.x-dev
Component:
Node access
Priority:
Normal
Category:
Bug report
Assigned:
Reporter:
Created:
25 Oct 2009 at 15:09 UTC
Updated:
19 Nov 2009 at 17:30 UTC
Jump to comment: Most recent file
Comments
Comment #1
Scott Reynolds commentedWell I believe this is on cron yes? Or when the node is being reindexed.
So this shouldn't be a problem on cron run because the cron user is anon, just remove the $account param.
Perhaps you will have to query for the node_access records as well as check user_access('view $type') by hand?
Comment #2
claudiu.cristea@Scott Reynolds,
Usually this runs on cron... But what's happen when cron is ran manually by admin? Maybe adding a new check for UID?
This isn't very clean, but it assures that we will not index wrong values in Solr.
Not sure what you mean...
Comment #3
Scott Reynolds commentedSo then this only happens when an admin runs cron. good then its not critical
http://drupal.org/node/218104
That has examples on how to securely change user
Comment #4
claudiu.cristeaWrong post.
Comment #5
claudiu.cristea@Scott Reynolds,
Is http://drupal.org/node/218104 tested? If so, I can easily fix the issue.
Thanks for your help!
Comment #6
Scott Reynolds commentedYes its written by the security team. its the right way
Comment #7
claudiu.cristeaHere's a patch for testing & review.
Comment #8
claudiu.cristeaIn addition to that fix I found another issue. In function
_apachesolr_nodeaccess_build_subquery(), we try to obtain access grants in D6 style:but we have to use Drupal 5 form:
Note that in D5 we pass the UID not the entire user object.
The patch was rebuilt.
Comment #9
claudiu.cristeaAdd back micro-caching to anonymous account.
Comment #10
Scott Reynolds commentedOnly issue I would point out is
is going to cause php warnings. The original_user isn't always set.
Would work just fine as the only time you 'set' $original_user is when the $GLOBALS['user'] isn't uid 0.
Comment #11
claudiu.cristeaThanks @Scott Reynolds for the "PHP warning" comment...
I fixed that...
Comment #12
claudiu.cristeaAdded also the CHANGELOG.txt entry.
Comment #13
claudiu.cristeaFixed in #284502.