function user_relationship_node_access_nodeapi(&$node, $op, $a3 = NULL, $a4 = NULL) {
global $user;
if ($node->uid != $user->uid) {
return;
}
The nodeapi hook returns immediately if the current user is not the node author. It appears to me that this is causing the grants to get blown away whenever the node access table is rebuilt or the node is saved by another user (admin) or programmatically (by another module or cron), because nodeapi doesn't set the $node->user_relationship_node_access that user_relationship_node_access_node_access_records() is looking at when node_access_acquire_grants() gets called.
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | user_relationships-rebuild-permissions-kills-records-716008-5.patch | 912 bytes | webchick |
Comments
Comment #1
sirkitree commentedYeah, it doesn't even load the information in case 'load' because of this - i'm not even sure how this module works with this check present.
Comment #2
webchickThis seems fairly critical?
Comment #3
webchickLooking into CVS annotate, it seems this code has been part of the module since its initial commit in issue #229866: private nodes access control plugin. It was added by sprsquish at #229866-9: private nodes access control plugin. jbrown responded "Why do you only allow the node author to change the node access permissions? This even prevents uid 1 from changing it. Surely if a user has the right to edit the node, then they should be able to edit the node access permissions." and suggested a permission be added to check instead. This change was done in #229866-12: private nodes access control plugin, but apparently never made it over to the code in CVS?
Comment #4
sirkitree commentedWow, holy crap that's some good sleuthing!
Comment #5
webchickHere's the patch to remove this problematic chunk of code, at any rate.
Comment #6
alex.k commentedCommitted in http://drupal.org/cvs?commit=366928. Thank you.