node_permission() uses check_plain() without a purpose [#1000074]

The function node_list_permissions() (called by node_permission()) builds the permission strings by passing the content type machine name to check_plain(), while node_node_access(), which uses those permissions, doesn't build those permission strings by passing the content type machine name to check_plain().

Considering that the characters allowed for a machine name are letters (which don't include accented letters), underscores, and numbers, the call to check_plain() returns the same strings it gets as parameter; therefore, calling check_plain() is not necessary.
If the value returned by check_plain() is different from the value it gets (for example, the content type machine names are allowed to contain >), then the permissions being defined would be different from the permissions being checked.

function node_list_permissions($type) {
  $info = node_type_get_type($type);
  $type = check_plain($info->type);

  // Build standard list of node permissions for this type.
  $perms = array(
    "create $type content" => array(
      'title' => t('%type_name: Create new content', array('%type_name' => $info->name)),
    ), 
    "edit own $type content" => array(
      'title' => t('%type_name: Edit own content', array('%type_name' => $info->name)),
    ),
    //... (omissis)
 }

function node_node_access($node, $op, $account) {
  $type = is_string($node) ? $node : $node->type;

  if (in_array($type, node_permissions_get_configured_types())) {
    if ($op == 'create' && user_access('create ' . $type . ' content', $account)) {
      return NODE_ACCESS_ALLOW;
    }
    // ... (omissis)
}

Comment	File	Size	Author
#5	remove_checkplain-1000074-5.patch	452 bytes	naxoc
#5
#2	remove_checkplain-1000074-2.patch	1.36 KB	naxoc
#2

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

apaderno

he/him

Italian

Brescia, 🇮🇹 🇪🇺

CreditAttribution: apaderno commented 16 December 2010 at 21:20

Title:

node_permission() uses check_plain() for the content type machine name, but node_node_access() doesn't

» node_permission() uses check_plain() without a purpose

Comment #2

naxoc CreditAttribution: naxoc commented 19 January 2012 at 10:13

Version:

7.x-dev

» 8.x-dev

File	Size
remove_checkplain-1000074-2.patch	1.36 KB

This is still an issue in D8. Here is a patch that gets rid of the check.

Comment #3

swentel CreditAttribution: swentel commented 19 January 2012 at 14:37

Status:

Active

» Needs review

Let's see what the bot says

Comment #4

sun

German

Karlsruhe

CreditAttribution: sun commented 19 January 2012 at 16:47

Status:

Needs review

» Needs work

+++ b/core/modules/node/node.module
@@ -3141,23 +3141,22 @@ function node_node_access($node, $op, $account) {
-  $type = check_plain($info->type);
...
-    "create $type content" => array(
+    "create {$info->type} content" => array(

You can just drop the line involving check_plain() and retain the $type in the strings.