Suppress Teasers
Concept
The current Drupal core defines two content types, page and story. Anyone with 'access content' permissions is able to see both the nodes these content types define, as well as the teasers that they provide.
When creating modules that define new content types, the developer sets 'view' permissions inside hook_access(). However, this hook is not called when rendering teasers, and as a result, users who do not have permissions to view the node itself (but do have 'access content' permissions), will still be able to view the teaser for the node. This can be a risk to the security of the data on your site, as users may be able to see content of nodes that they shouldn't be able to see.
Solution
I have created this module to deal with the problem. This module checks if the user has permission to view all nodes before rendering the teaser for that node. If they don't have permission to view the node in question, all content is stripped from the teaser, and a message is provided informing the user that they don't have permissions to view that teaser. This works for all teasers everywhere, all the time.
Issues with this module
- Unfortunately, I am not sure how to prevent the node from rendering in the first place. So instead of the teaser not rendering at all (the ideal solution), the space where the teaser should have been is rendered with a message informing them that they do not have permissions to view the information contained (not as ideal, but still a solution to the initial problem). If anyone has any ideas on how this could be improved, I'd love to hear them.
- Be warned that installing this module will place an additional, minor burden on your server when rendering teaser pages, as it has to add a check to permissions for each teaser it renders. I have found this to be unnoticeable, but it's possible that it may be noticeable on servers without as much power.
Potential alternative solution for this problem
I have been informed that "if you are creating a module that implements a content type you need to take additional measures for node lists", however no additional information was given on how to do this, so I am still not clear about how to do this. I am sure that I am not the only developer in this position, so I'm sure that other modules besides the ones I have developed are also rendering teasers when they shouldn't. This module solves that problem. If someone does inform me of how to check permissions when rendering nodes in custom content types, I will make sure to add that information to this post, so that developers looking at this module can instead deal with it at the module level, rather than having to resort to using this module. But until then, this module serves a distinct purpose.
Who this module is for
This module is useful for two groups of people:
- Developers of modules that define custom content types, where the teaser shows even though permissions haven't been granted to the user in hook_access().
- Administrators of sites that are showing teasers for custom content types even though the user doesn't have permissions to view the nodes themselves.
Module usage
- This module works right away upon installation. After installing it, teasers will be suppressed without any configuration.
- The user is shown the message "You do not have permission to view this item" for any teasers that have been suppressed. To change this to something else, navigate to admin/settings/suppress_teasers, and set your message there.
Updates
- July 6, 2009
- As requested in my issue queue, I added a message that displays when the user does not have permission to see the node, as well as the ability to change that message at admin/settings/suppress_teasers.
- Japanese translation for default message added
Releases
| Official releases | Date | Size | Links | Status | |
|---|---|---|---|---|---|
| 6.x-1.1 | 2009-Jul-06 | 6.48 KB | Download · Release notes | Recommended for 6.x |  |
