I found a critical bug in the taxonomy access modul using
- Views 2 module
- Taxonomy Access module

Reproduce:
- Create a new view with "node_revisions" (not node)
- Add field node title.
- Test the view with a site admin, you will get some results.
- Create a role that has no permission for "administer taxonomy"
- Create some TAC permissions
- test the view again (make a view page display and logout).
- You will get an empty result because TAC rewrites the SQL statement!

Problem description:
An SQL Statement will be created querying the base table "node_revisions".

Unfortunatly, the table node_revisions has a field called "vid" which is NOT related to the vocabulary id field.

In the function

function taxonomy_access_db_rewrite_sql($query, $table, $field) {
  if (!user_access('administer taxonomy') && ($field =='vid' || $field =='tid')) {
   ....
}

the SQL statement will be rewritten although no taxonomy is involved.

Solution:
Make a special rule for node_revisions table. Attached you find a patch.

CommentFileSizeAuthor
taxonomy_access-6.x-1.2-node_revision.patch640 bytesayalon

Comments

xjm’s picture

Status: Active » Reviewed & tested by the community

Patch seems to apply fine. Excellent catch! Thank you. It's always driven me bonkers that vid is both revision id and vocab id.

xjm’s picture

Title: Critical bug with node_revisions / Views 2.0 » Critical bug with node_revisions - vid as revision id versus vocab id
xjm’s picture

Status: Reviewed & tested by the community » Needs review

The scope of this vid issue in hook_rewrite_sql() is actually rather broad. Marked #660668: TAC + revisioning: Empty taxonomy term select list on node/add for regular users as duplicate. Setting back to "needs review" pending testing of this patch for that issue.

ayalon’s picture

Can someone test this patch, so we can get this critical issue fixed and commited?

xjm’s picture

Status: Needs review » Reviewed & tested by the community

I'm giving up for now on anyone testing this patch for the other issue. Going to commit this.

xjm’s picture

Status: Reviewed & tested by the community » Fixed

Committed to -dev:
http://drupal.org/cvs?commit=403922

New dev build should be available within 24 hours.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

xjm’s picture

The patch available in #881210: No list or create permissions on any terms may result in incorrect use of default on save should resolve any remaining problems like this. If you still encounter this bug or anything like it, please test the patch from that issue with the latest dev build of TAC. Direct link to patch:
http://drupal.org/files/issues/tac_881210-9.patch