In Drupal Core 6.x, the query that built the admin/content/node page was passed through the node access system, and any node access module that implemented hook_db_rewrite_sql() could remove the API nodes from the page.
In 7.x, the query for that page isn't run through the node access system (there is no "node_access" tag added to the query). Instead, anyone with "view content overview" permission gets to see all published nodes.
This needs tests which need to be backported to D7. There's a node_test.module that implements some node access stuff afaik.
Commit credit should go to jhodgdon. Here's the patch we committed to D7.
Private tracker #: 72648
Comment | File | Size | Author |
---|---|---|---|
#12 | 1558478_12.patch | 1.77 KB | chx |
#8 | node-access-admin-content-1558478-7-tests-only.patch | 1.92 KB | Berdir |
#8 | node-access-admin-content-1558478-7.patch | 2.33 KB | Berdir |
#6 | drupal-1558478-6.patch | 422 bytes | tim.plunkett |
fix-node-access-admin-nodes-7x-do-not-test.patch | 402 bytes | webchick | |
Comments
Comment #1
webchickOops. And also...
Comment #2
xjmI'll work on this. I'm friends with the node access test module. :)
Comment #3
Bojhan CreditAttribution: Bojhan commentedAre you still working on this? Critical bugs are currently above thresholds.
Comment #4
jhodgdonShould it even be marked critical? The security patch was already committed. This is just open for tests that need to be written.
Comment #5
aspilicious CreditAttribution: aspilicious commentedThis isn't committed to D8.
Comment #6
tim.plunkettComment #7
aspilicious CreditAttribution: aspilicious commented"This needs tests which need to be backported to D7. There's a node_test.module that implements some node access stuff afaik."
Comment #8
BerdirOk, NodeQueryAlterTest might not be the perfect place, but it is very easy to extend them to check admin/content as well.
Comment #9
Berdir#8: node-access-admin-content-1558478-7.patch queued for re-testing.
Comment #10
chx CreditAttribution: chx commentedCouldn't be simpler.
Comment #11
webchickAwesome, THANKS.
Committed and pushed to 8.x. Needs a small re-roll for 7.x.
Comment #12
chx CreditAttribution: chx commentedThis only needs tests for D7 and the patch applied cleanly against node.test. If the bot comes back green it's good to go.
Comment #13
webchickYay! Committed and pushed to 7.x. Thanks!
Comment #15
xjm