Node access not working (only for 5.x-2.x)
claudiu.cristea - October 25, 2009 - 15:09
| Project: | Apache Solr Search Integration |
| Version: | 5.x-2.x-dev |
| Component: | Node access |
| Category: | bug report |
| Priority: | normal |
| Assigned: | claudiu.cristea |
| Status: | closed |
Description
The DRUPAL-5--2 branch is result of backporting DRUPAL-6--1 in #557152: Backporting last changes to 5.x.
Recently I found that the node access feature is not working as it should be.
This is due to the fact that in D6, node_access() takes also the $account as argument while in D5 version it doesn't.
I found too that there's no easy way to emulate that in D5. Can somebody help find out how to emulate this line in 5?
<?php
if (!node_access('view', $node, $account)) {
...
?>from apachesolr_nodeaccess.module?
Thanks!
#1
Well I believe this is on cron yes? Or when the node is being reindexed.
So this shouldn't be a problem on cron run because the cron user is anon, just remove the $account param.
Perhaps you will have to query for the node_access records as well as check user_access('view $type') by hand?
#2
@Scott Reynolds,
Usually this runs on cron... But what's happen when cron is ran manually by admin? Maybe adding a new check for UID?
<?phpif ($GLOBAL['user']->uid == 0) {
if (!node_access('view', $node)) {
...
}
else {
...
}
}
?>
This isn't very clean, but it assures that we will not index wrong values in Solr.
Not sure what you mean...
#3
So then this only happens when an admin runs cron. good then its not critical
http://drupal.org/node/218104
That has examples on how to securely change user
#4
Wrong post.
#5
@Scott Reynolds,
Is http://drupal.org/node/218104 tested? If so, I can easily fix the issue.
Thanks for your help!
#6
Yes its written by the security team. its the right way
#7
Here's a patch for testing & review.
#8
In addition to that fix I found another issue. In function
_apachesolr_nodeaccess_build_subquery(), we try to obtain access grants in D6 style:<?php// Get node access grants.
$grants = node_access_grants('view', $account);
?>
but we have to use Drupal 5 form:
<?php// Get node access grants.
$grants = node_access_grants('view', $account->uid);
?>
Note that in D5 we pass the UID not the entire user object.
The patch was rebuilt.
#9
Add back micro-caching to anonymous account.
#10
Only issue I would point out is
<?phpif ($original_user->uid) {
?>
is going to cause php warnings. The original_user isn't always set.
<?phpif (isset($original_user)) {
?>
Would work just fine as the only time you 'set' $original_user is when the $GLOBALS['user'] isn't uid 0.
#11
Thanks @Scott Reynolds for the "PHP warning" comment...
I fixed that...
#12
Added also the CHANGELOG.txt entry.
#13
Fixed in #284502.
#14
Automatically closed -- issue fixed for 2 weeks with no activity.