I have a content type with a realname_userreference field called "recipient" that is configured to use a view (and a custom views filter) to limit the autocomplete suggestions for user lookups. The problem I am running into is that users can go to http://mysite.com/realname_userreference/autocomplete (the direct path to the autocomplete callback) and see a list of the unfiltered users. I believe my problem is in the function realname_userreference_auto and the fact that "$field_name" is empty when browsing the callback directly.

CommentFileSizeAuthor
#7 autocomplete-callback-permission-840964-7.patch1.68 KBguillaumeduveau
#5 realname-userreference-auto-840964-4.patch1.57 KBderuitern
#1 realname-userreference-auto-840964-1.patch1.57 KBderuitern

Comments

deruitern’s picture

deruitern commented
StatusFileSize
new realname-userreference-auto-840964-1.patch1.57 KB

Here is a patch that fixed this problem for me. It simply checks that $field_name is not empty, to make sure that the data is being requested by a field rather than being browsed to directly by a user. I've verified that the callback returns nothing if I go to http://mysite.com/realname_userreference/autocomplete, but and the field still works as expected.

guillaumeduveau’s picture

guillaumeduveau
Location Toulouse
commented

Thanks a lot deruitern, actually I thought I had fixed that in #716794: Permission of the autocomplete callback path but it's not working ! I'd prefer to understand what happens in that other bug first...

guillaumeduveau’s picture

guillaumeduveau
Location Toulouse
commented
Assigned: Unassigned » guillaumeduveau
guillaumeduveau’s picture

guillaumeduveau
Location Toulouse
commented
Title: realname_userreference_auto does not use view when accessing callback directly » Permission of the autocomplete callback path
Category: bug » feature
Status: Needs review » Postponed (maintainer needs more info)

It's more a feature request, since in general Realnames are intended to be public as stated by the Drupal security team. But I do understand your point.

Isn't it possible to fake that a field is requesting http://mysite.com/realname_userreference/autocomplete ? Otherwise your solution seems OK, but why doesn't it work with the permissions like I wrote in http://drupal.org/node/716794#comment-4090534 ?

deruitern’s picture

deruitern commented
Status: Postponed (maintainer needs more info) » Needs review
StatusFileSize
new realname-userreference-auto-840964-4.patch1.57 KB

Well, in my instance the Realnames are not intended to be public and are only for privileged users - and this part is working ... my Realnames cannot be accessed unless the user is logged in, ie. 'access content'.

For my setup, have a couple of different roles on my site, for example a customer role and a user role. I'm using a custom views filter to prevent customers from being able to reference other customer in the system, however users can reference any users or customers.

All AJAX requests and permissions are working fine when called from a module, but I think the issue is that if the callback is accessed directly in the URL. You are correct in that is possible to fake $field, so I've attached a patch to make sure that $field is a valid field before making the json request. Its seems that if $field is empty, the potential_references_views never gets called, but potential_references_standard does instead, even if the field is set up to use a view ... I'm assuming the default behavior for standard is to return all users, but a userreferences based on views, should only return the results from the view. Let me know if that doesn't make sense.

guillaumeduveau’s picture

guillaumeduveau
Location Toulouse
commented
Version: 6.x-1.1 » 6.x-1.x-dev

Like in CCK Nodereference, I prefer to check the access in a dedicated function outside of realname_userreference_auto(), and I guess the permission checks are fine too. So I'm thinking of :

Modification :

/**
 * Implementation of hook_menu().
 */
function realname_userreference_menu() {
  $items = array();
  $items['realname_userreference/autocomplete'] = array(
    'title' => 'Realname Userreference autocomplete',
    'page callback' => 'realname_userreference_auto',
    'access callback' => 'realname_userreference_auto_access',
    'access arguments' => array(2),
    'type' => MENU_CALLBACK
  );
  return $items;
}

Add that :

/**
 * Check access to the menu callback of the autocomplete widget.
 *
 * Check for both 'edit' and 'view' access in the unlikely event
 * a user has edit but not view access.
 */
function realname_userreference_auto_access($field_name) {
  return user_access('access content') && ($field = content_fields($field_name)) && isset($field['field_name']) && content_access('view', $field) && content_access('edit', $field);
}

What do you think ? Thanks again for pointing and helping with that issue.

guillaumeduveau’s picture

guillaumeduveau
Location Toulouse
commented
StatusFileSize
new autocomplete-callback-permission-840964-7.patch1.68 KB

Discovering Git, I hope the patch is OK.

deruitern’s picture

deruitern commented
Status: Needs review » Reviewed & tested by the community

Hey guix, I wasn't able to apply this patch for some reason, but I applied it by hand and after testing, it seems to have resolved my issue. Thanks for the help.

guillaumeduveau’s picture

guillaumeduveau
Location Toulouse
commented

Good, I'll commit on monday and release 6.x-1.2 !

guillaumeduveau’s picture

guillaumeduveau
Location Toulouse
commented
Version: 6.x-1.x-dev » 6.x-1.2
Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.