Maybe it is a wrong interpretation of my side, but, in this function:

/**
 * Implementation of hook_access().
 */
function casetracker_basic_case_access($op, $node) {
  global $user;

  switch ($op) {
    case 'view':
      // we have to check if the OG module is installed, otherwise this will
      // overule the OG nodeaccess
      if (!module_exists('og')) {
        return user_access('access case tracker');
      }
      // we check if the case isn't created by the current user or is
      // assigned to the current user, if so that user gets access
      elseif (
        user_access('access case tracker')
        && 0 < (int)$user->uid
        && ((int)$node->casetracker->assign_to === (int)$user->uid
           || (int)$node->uid === (int)$user->uid)
      ) {
        return TRUE;
      }
      break;
    case 'create':
      return user_access('create cases');
    case 'update':
    case 'delete':
      if (user_access('edit own cases') && ($user->uid == $node->uid)) {
        return TRUE;
      }
      break;
  }
}

This code:

if (!module_exists('og')) {

shouldn't be?

if (module_exists('og')) {

This is because, if a user didn't installed Organic Groups, Case Tracker Basic should restrict access based in 'assign_to' and 'author'

I'm wrong? or this is indeed a bug?

If this is a bug, I'm attaching the proper patch

Comments

dagmar’s picture

StatusFileSize
new1.4 KB

Well, I did a bit more of research and I'm really convinced that this is a bug.

This patch restrict the access to cases if user is not the author or the assigned user.

I'm not sure if Organic Groups is enabled, casetracker_basic_case_access should return NULL or user_access('access case tracker');

Anyway, for sites without OG, this patch works fine.

dagmar’s picture

StatusFileSize
new1.4 KB

Try this patch, patch in #1 has to be applied with patch -p1, this works with patch -p0

jmiccolis’s picture

Status: Needs review » Fixed

Oh my, this code is just embarrassing. I'm not happy about any of this, thank you for bringing it to my attention.

I've removed entire view clause from that switch statement. This sort of logic should really be dealt with at the node_access database table layer. Doing this here for viewing content is really going to cause trouble, as most people's sites are views driven and rely on being able to join against node_access to ensure access rule enforcement.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.