I got an E_NOTICE today (you probably want to have that feature turn ON in D6 as well!)
Looking into it, I found the cause... the fact is that you load nodes with a SELECT statement. That won't work correct in 99% of the cases you have to handle.
The following is your original code. As you can see, you are building an array of nodes from the SELECT statement. At least, there is an SQL rewrite, so it is most certainly secure.
/**
* Menu callback for admin/content/webform. Displays all webforms on the site.
*/
function webform_admin_content() {
$result = db_query(db_rewrite_sql("SELECT n.* FROM {node} n WHERE n.type = 'webform'"));
$nodes = array();
while ($node = db_fetch_object($result)) {
$nodes[] = $node;
}
return theme('webform_admin_content', $nodes);
}
What you want to do is something like this instead:
/**
* Menu callback for admin/content/webform. Displays all webforms on the site.
*/
function webform_admin_content() {
$result = db_query(db_rewrite_sql("SELECT n.nid FROM {node} n WHERE n.type = 'webform'"));
$nodes = array();
while ($n = db_fetch_array($result)) {
$nodes[] = load_node(array('nid' => $n['nid']));
}
return theme('webform_admin_content', $nodes);
}
Otherwise, the node_access() call in the theming function (and in case someone overwrites the theme...) does not do what you expect it to do (since the format is not defined from your SELECT call.) It is still secure, since you generate an Edit link which will send you on a page that does not work and that's okay, but it would be better to do as intended and hide the link when not available.
In regard to the db_rewrite_sql() call, don't you need to add 'nid' as the 2nd parameter? or maybe array('nid')... I'm not totally sure, but I thought you were supposed to add something there.
Thank you.
Alexis Wilke
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | webform-admin_content-6.x.patch | 688 bytes | AlexisWilke |
Comments
Comment #1
quicksketchThis is not a critical bug (showing a link that does no harm is hardly a problem, though it is confusing). The solution you've suggested is wildly less efficient than the current mechanism, essentially changing one query into 20+ queries per node. We've already got db_rewrite_sql() in there, so any node access mechanisms should already be adding their modifications.
It seems like all we really need to do here is change the link from being node/x/edit to node/x/webform (in the 3.x version), since the editing the node no longer applies directly to Webform at all in 3.x.
Comment #2
AlexisWilke commentedI will have to agree about the time consumption...
You just cannot call node_access() on those "node" objects. So you could fix the link generation by removing the call (and you have the opposite effect: you save time!) And since 99% of the time, people who have access to that list will have access to the nodes, it certainly isn't a big problem.
Note: the node_access() is in the following function. The theme...() that actually generates the link.
Thank you.
Alexis
Comment #3
AlexisWilke commentedThere is a patch to remove the call to node_access() which does not work 100% and generates errors at this time.
Thank you.
Alexis Wilke
Comment #4
quicksketchSeems like this is already fixed in 3.x. Since it's such a minor issue, we probably won't see this fixed in 2.x.