Closed (fixed)
Project:
Drupal core
Version:
7.x-dev
Component:
node.module
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
13 Jan 2010 at 17:56 UTC
Updated:
3 Jan 2014 at 01:08 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
dave reidRemoves the check for 'administer nodes' permission. Let's see how the bot likes it.
Comment #2
agentrickardYes, please.
In fact, we should probably open a meta-issue to remove all access checks from validate and submit functions.
Comment #3
moshe weitzman commentedIndeed. These checks are pure cruft.
Comment #4
drewish commentedsubscribing
Comment #5
agentrickardSee #683778: Remove permission checks from _validate() and _submit() handlers for the meta issue.
Comment #6
dww<hat class="security-team">Yes, definitely RTBC. This patch is making core more secure since we're now *always* validating these fields, not just for folks with 'administer nodes'.
</hat>Comment #7
dries commentedLooks good to me. Committed to CVS HEAD.
Comment #8
dave reidArg we didn't have any test coverage to know this was broken, but it is even before this patch landed. You can't change node authors. Working on a quick test.
Comment #9
dave reidSo the check for !isset($node->uid) is pointless because it's *always* going to be defined. We should just check of $node->name is set.
Comment #10
dave reidComment #11
dww@Dave Reid: #8 implies this is a completely distinct bug, separate from this change. I'm not sure why we're piling it on here. Why not open a new critical bug and mark this one fixed? This didn't have anything to do with the problem...
Comment #12
int commented2 Issues for one bug, is too much.. We need a new Status Message, instead of one tag Needs tests, I think is better to know this Issue is fixed, and only "Needs tests"
Comment #13
dave reidWe've got an existing critical issue open at #492186: Authoring information is never updated. for not being able to update node names. Reverting meta-data and marking as fixed.
Comment #14
dww@int: I think you misunderstand me. I'm not proposing 2 issues for 1 bug. There are two completely unrelated bugs. This bug is about pointless access checks that make life difficult for contrib modules. The other bug is about not being able to change the owner of a node when you edit it. They just happen to touch nearly the same lines of code... My point was that it's silly to keep talking about the 2nd bug in the issue that already fixed the first.
@Dave Reid: Thanks. That's exactly what I meant. ;)
Cheers,
-Derek