Maybe it is a wrong interpretation of my side, but, in this function:
/**
* Implementation of hook_access().
*/
function casetracker_basic_case_access($op, $node) {
global $user;
switch ($op) {
case 'view':
// we have to check if the OG module is installed, otherwise this will
// overule the OG nodeaccess
if (!module_exists('og')) {
return user_access('access case tracker');
}
// we check if the case isn't created by the current user or is
// assigned to the current user, if so that user gets access
elseif (
user_access('access case tracker')
&& 0 < (int)$user->uid
&& ((int)$node->casetracker->assign_to === (int)$user->uid
|| (int)$node->uid === (int)$user->uid)
) {
return TRUE;
}
break;
case 'create':
return user_access('create cases');
case 'update':
case 'delete':
if (user_access('edit own cases') && ($user->uid == $node->uid)) {
return TRUE;
}
break;
}
}
This code:
if (!module_exists('og')) {
shouldn't be?
if (module_exists('og')) {
This is because, if a user didn't installed Organic Groups, Case Tracker Basic should restrict access based in 'assign_to' and 'author'
I'm wrong? or this is indeed a bug?
If this is a bug, I'm attaching the proper patch
Comments
Comment #1
dagmarWell, I did a bit more of research and I'm really convinced that this is a bug.
This patch restrict the access to cases if user is not the author or the assigned user.
I'm not sure if Organic Groups is enabled, casetracker_basic_case_access should return NULL or user_access('access case tracker');
Anyway, for sites without OG, this patch works fine.
Comment #2
dagmarTry this patch, patch in #1 has to be applied with patch -p1, this works with patch -p0
Comment #3
jmiccolis commentedOh my, this code is just embarrassing. I'm not happy about any of this, thank you for bringing it to my attention.
I've removed entire view clause from that switch statement. This sort of logic should really be dealt with at the node_access database table layer. Doing this here for viewing content is really going to cause trouble, as most people's sites are views driven and rely on being able to join against node_access to ensure access rule enforcement.