Hi, i have various galleries password protected. For view the gallery the password is required, ok. But in the view of galleries i can view the cover for all galleries (included password protected that the password is not yet included)

In the function _node_gallery_access_redirect (node_gallery_access.module, line 294 aprox.) i observe this code:

    if ($user->uid != $node->uid && !node_gallery_access_perms_allow_access()) {
      $id = (!empty($gid) && is_numeric($gid)) ? $gid : $node->nid;
      // If node is password protected and not teaser nor page view and not owner of node
      if (!isset($_SESSION['_node_gallery']['passwords'][$id])) {
        //a4 for page
        if (!$teaser) {
          $_SESSION['_node_gallery']['current'] = $id;
          drupal_goto('node_gallery/enterpassword', 'destination='. $_GET['q']);
        } //teaser
        else {
          $node->teaser = '';
          $node->body = '';
          $node->content = array();
          
          $gallery = node_load($id);
          $node->filepath = node_gallery_access_default_pass_image();
          $node->content['pass'] = array('#value' => l(theme('image_view', $gallery->config['teaser']['image'], $node), 'node/'. $node->nid,
           array('html' => TRUE)));
        }
      }

why the second condition of the first if ?
node_gallery_access_perms_allow_access() always return true, then the if never execute.

Sorry for my bad english

Comments

justintime’s picture

node_gallery_access_perms_allow_access doesn't always return true, it returns true only if you have permissions to view password protected galleries without a password. If you don't have those permissions, then it returns false, and the code within the if is executed.

You mentioned manually "fixing" your node_access table over here: #645650: Node Gallery Access Password Protection isnt' working. If you still have that in place, you need to rebuild your node permissions.

Note that until #645650: Node Gallery Access Password Protection isnt' working is resolved, the whole password protection scheme is basically broken. Once I can get that issue fixed, you'll need to test your findings against that code.

kmonty’s picture

Status: Active » Closed (fixed)

Download alpha 11. If it is still an issue, reopen.

http://drupal.org/node/627156

izarco’s picture

The second condition of the if is !node_gallery_access_perms_allow_access().

This function do this:

function node_gallery_access_perms_allow_access($access_type = NODE_GALLERY_ACCESS_TYPE_PUBLIC, $op = 'view', $account = NULL) {
  global $user;
  if (!isset($account)) {
    $account = $user;
  }
  
  //IF they have admin rights, we short circuit, giving access
  if ($account->uid == 1 || user_access('administer nodes', $account)) {
    return TRUE;
  }
  
  switch ($access_type) {
    // Anyone can access public galleries
    case NODE_GALLERY_ACCESS_TYPE_PUBLIC:
      return TRUE;
      break;
    case NODE_GALLERY_ACCESS_TYPE_PRIVATE:
      if (user_access(NODE_GALLERY_ACCESS_PERM_EDIT_PRIVATE_CONTENTS, $account) || ($op == 'view' && user_access(NODE_GALLERY_ACCESS_PERM_ACCESS_PRIVATE_CONTENTS, $account))) {
        return TRUE;
      }
      break;
    case NODE_GALLERY_ACCESS_TYPE_PASSWORD:
      if (user_access(NODE_GALLERY_ACCESS_PERM_EDIT_PASSWORD_CONTENTS, $account) || ($op == 'view' && user_access(NODE_GALLERY_ACCESS_PERM_ACCESS_PASSWORD_CONTENTS, $account))) {
        return TRUE;
      }
      break;
  }
  return FALSE;
}

When we call node_gallery_access_perms_allow_access() without params, $acces_type take the value NODE_GALLERY_ACCESS_TYPE_PUBLIC.
In this conditions the function return always true => !node_gallery_access_perms_allow_access() it's always false => the condition of the if of my first post " if ($user->uid != $node->uid && !node_gallery_access_perms_allow_access()) " never is true.

Am i wrong?

izarco’s picture

Version: 6.x-2.0-alpha9 » 6.x-2.0-alpha11
Status: Closed (fixed) » Active

I was wrong. This is the version that was installed from the start.

justintime’s picture

Assigned: Unassigned » justintime
Priority: Normal » Critical

Now I follow you, sorry I was looking at the function, not the way it was being called. You are correct, and this is a bug.

If I can get a couple of hours this weekend, I should be able to get this contrib module back into a working status again - I'll make this bug part of that. Thanks for the help. Bumping the priority to critical, since it's allowing users to view content they shouldn't.

justintime’s picture

Version: 6.x-2.0-alpha11 » 6.x-2.x-dev
Status: Active » Needs review

This should now be resolved by applying the patch attached to #645650: Node Gallery Access Password Protection isnt' working.

justintime’s picture

Status: Needs review » Fixed
gothica’s picture

Status: Fixed » Active

doesn't work for me.. used latest version dev module

justintime’s picture

Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.