diff --git a/core/modules/comment/comment.module b/core/modules/comment/comment.module index e676e28..2c8e21d 100644 --- a/core/modules/comment/comment.module +++ b/core/modules/comment/comment.module @@ -523,6 +523,7 @@ function comment_get_recent($number = 10) { $query = db_select('comment', 'c'); $query->innerJoin('node', 'n', 'n.nid = c.nid'); $query->addTag('node_access'); + $query->addMetaData('base_table', 'comment'); $comments = $query ->fields('c') ->condition('c.status', COMMENT_PUBLISHED) @@ -854,6 +855,7 @@ function comment_get_thread($node, $mode, $comments_per_page) { ->condition('c.nid', $node->nid) ->addTag('node_access') ->addTag('comment_filter') + ->addMetaData('base_table', 'comment') ->addMetaData('node', $node) ->limit($comments_per_page); @@ -863,6 +865,7 @@ function comment_get_thread($node, $mode, $comments_per_page) { ->condition('c.nid', $node->nid) ->addTag('node_access') ->addTag('comment_filter') + ->addMetaData('base_table', 'comment') ->addMetaData('node', $node); if (!user_access('administer comments')) { diff --git a/core/modules/forum/forum.module b/core/modules/forum/forum.module index 635754c..9e4a702 100644 --- a/core/modules/forum/forum.module +++ b/core/modules/forum/forum.module @@ -664,7 +664,8 @@ function forum_block_save($delta = '', $edit = array()) { function forum_block_view($delta = '') { $query = db_select('forum_index', 'f') ->fields('f') - ->addTag('node_access'); + ->addTag('node_access') + ->addMetaData('base_table', 'forum_index'); switch ($delta) { case 'active': $title = t('Active forum topics'); @@ -885,6 +886,7 @@ function forum_get_topics($tid, $sortby, $forum_per_page) { $query ->condition('f.tid', $tid) ->addTag('node_access') + ->addMetaData('base_table', 'forum_index') ->orderBy('f.sticky', 'DESC') ->orderByHeader($forum_topic_list_header) ->limit($forum_per_page); @@ -893,6 +895,7 @@ function forum_get_topics($tid, $sortby, $forum_per_page) { $count_query->condition('f.tid', $tid); $count_query->addExpression('COUNT(*)'); $count_query->addTag('node_access'); + $count_query->addMetaData('base_table', 'forum_index'); $query->setCountQuery($count_query); $result = $query->execute(); diff --git a/core/modules/node/node.module b/core/modules/node/node.module index bdd5051..9c1c2ac 100644 --- a/core/modules/node/node.module +++ b/core/modules/node/node.module @@ -3353,10 +3353,9 @@ function _node_query_node_access_alter($query, $type) { $tables = $query->getTables(); $base_table = $query->getMetaData('base_table'); - // If no base table is specified explicitly, search for one. + // If the base table is not given, default to node if present. if (!$base_table) { - $fallback = ''; - foreach ($tables as $alias => $table_info) { + foreach ($tables as $table_info) { if (!($table_info instanceof SelectInterface)) { $table = $table_info['table']; // If the node table is in the query, it wins immediately. @@ -3364,38 +3363,11 @@ function _node_query_node_access_alter($query, $type) { $base_table = $table; break; } - // Check whether the table has a foreign key to node.nid. If it does, - // do not run this check again as we found a base table and only node - // can triumph that. - if (!$base_table) { - // The schema is cached. - $schema = drupal_get_schema($table); - if (isset($schema['fields']['nid'])) { - if (isset($schema['foreign keys'])) { - foreach ($schema['foreign keys'] as $relation) { - if ($relation['table'] === 'node' && $relation['columns'] === array('nid' => 'nid')) { - $base_table = $table; - } - } - } - else { - // At least it's a nid. A table with a field called nid is very - // very likely to be a node.nid in a node access query. - $fallback = $table; - } - } - } } } - // If there is nothing else, use the fallback. + // Bail out if the base table is missing. if (!$base_table) { - if ($fallback) { - watchdog('security', 'Your node listing query is using @fallback as a base table in a query tagged for node access. This might not be secure and might not even work. Specify foreign keys in your schema to node.nid ', array('@fallback' => $fallback), WATCHDOG_WARNING); - $base_table = $fallback; - } - else { - throw new Exception(t('Query tagged for node access but there is no nid. Add foreign keys to node.nid in schema to fix.')); - } + throw new Exception(t('Query tagged for node access but there is no node table, specify the base_table using meta data.')); } } diff --git a/core/modules/taxonomy/taxonomy.module b/core/modules/taxonomy/taxonomy.module index e82edfc..73d7455 100644 --- a/core/modules/taxonomy/taxonomy.module +++ b/core/modules/taxonomy/taxonomy.module @@ -224,6 +224,7 @@ function taxonomy_select_nodes($tid, $pager = TRUE, $limit = FALSE, $order = arr } $query = db_select('taxonomy_index', 't'); $query->addTag('node_access'); + $query->addMetaData('base_table', 'taxonomy_index'); $query->condition('tid', $tid); if ($pager) { $count_query = clone $query; diff --git a/core/modules/tracker/tracker.pages.inc b/core/modules/tracker/tracker.pages.inc index 30583be..c917cc8 100644 --- a/core/modules/tracker/tracker.pages.inc +++ b/core/modules/tracker/tracker.pages.inc @@ -37,6 +37,7 @@ function tracker_page($account = NULL, $set_title = FALSE) { // while keeping the correct order. $nodes = $query ->addTag('node_access') + ->addMetaData('base_table', 'tracker_node') ->fields('t', array('nid', 'changed')) ->condition('t.published', 1) ->orderBy('t.changed', 'DESC')