The function node_list_permissions()
(called by node_permission()
) builds the permission strings by passing the content type machine name to check_plain()
, while node_node_access()
, which uses those permissions, doesn't build those permission strings by passing the content type machine name to check_plain()
.
Considering that the characters allowed for a machine name are letters (which don't include accented letters), underscores, and numbers, the call to check_plain()
returns the same strings it gets as parameter; therefore, calling check_plain()
is not necessary.
If the value returned by check_plain()
is different from the value it gets (for example, the content type machine names are allowed to contain >
), then the permissions being defined would be different from the permissions being checked.
function node_list_permissions($type) {
$info = node_type_get_type($type);
$type = check_plain($info->type);
// Build standard list of node permissions for this type.
$perms = array(
"create $type content" => array(
'title' => t('%type_name: Create new content', array('%type_name' => $info->name)),
),
"edit own $type content" => array(
'title' => t('%type_name: Edit own content', array('%type_name' => $info->name)),
),
//... (omissis)
}
function node_node_access($node, $op, $account) {
$type = is_string($node) ? $node : $node->type;
if (in_array($type, node_permissions_get_configured_types())) {
if ($op == 'create' && user_access('create ' . $type . ' content', $account)) {
return NODE_ACCESS_ALLOW;
}
// ... (omissis)
}
Comment | File | Size | Author |
---|---|---|---|
#5 | remove_checkplain-1000074-5.patch | 452 bytes | naxoc |
#2 | remove_checkplain-1000074-2.patch | 1.36 KB | naxoc |
Comments
Comment #1
apadernoComment #2
naxoc CreditAttribution: naxoc commentedThis is still an issue in D8. Here is a patch that gets rid of the check.
Comment #3
swentel CreditAttribution: swentel commentedLet's see what the bot says
Comment #4
sunYou can just drop the line involving check_plain() and retain the $type in the strings.
Comment #5
naxoc CreditAttribution: naxoc commentedYou are right - I thought there was some kind of validation in
node_type_get_type()
. But this is much simpler. New patch.Comment #6
sunThanks.
Comment #7
Dries CreditAttribution: Dries commentedCommitted to 8.x and back-ported to 7.x.
Comment #9
cweagansUpdating tags per http://drupal.org/node/1517250
Comment #9.0
apadernoFixed formatting.