Flag module's implementation of hook_flag_access tests for permission according to authorship. It always returns FALSE when there's no content ID. The function assumed that the content (node or comment) had been loaded and so compared for inequality the non-existant UID property on the not-there-at-all comment or node.

If Flag is asking around for permission on a node that doesn't exist yet, the restrict content by authorship feature should assume that new nodes are being authored by the user who is logged in.

This patch fixes this bug. Now "access_author" only restricts permission on nodes or comments that have actually been saved.

CommentFileSizeAuthor
#2 flag_authorship_new.patch1.52 KBquicksketch
flag-authorship-access.patch1.88 KBAnonymous (not verified)

Comments

quicksketch’s picture

quicksketch
he/him
commented
Status: Needs review » Needs work

I agree this is a problem, but on reviewing the patch I can't figure out how this would correctly solve it. This bit here seems like it's going to call node_load(NULL):

-    $comment = _comment_load($content_id);
     $node = node_load($comment->nid);

Since $comment is no longer defined, neither is $comment->nid obviously.

quicksketch’s picture

quicksketch
he/him
commented
Status: Needs work » Fixed
StatusFileSize
new flag_authorship_new.patch1.52 KB

This patch should accomplish the same thing. I think it's a bit more explicit about what it is solving. If a $content_id is NULL (as in the node add form), Flag checks if the access is set to "Only flag the content of others" and denies access in that case. Otherwise it will immediately return NULL because it cannot actually load any content on which it can form an opinion.

Thanks for bringing this up, please reopen if this patch does not solve the problem correctly. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.