Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.node_gallery_get_gallery_list() function should use db_rewrite_sql()
Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.node_gallery_get_gallery_list() function should use db_rewrite_sql()
Top Drupal contributor Acquia would like to thank their partners for their contributions to Drupal.
Drupal is a registered trademark of Dries Buytaert.
Comments
Comment #1
crea CreditAttribution: crea commentedI think it's safe to assume that user must have view access to the gallery before being able to move images into it. I can't imagine usecases that work otherwise.
If user doesn't have view access to the gallery, we are disclosing node title which is a bad thing
Comment #2
crea CreditAttribution: crea commenteddb_rewrite_sql() only checks access for the current user, so we can't use it together with arbitrary $uid which the function takes as an argument. We could use something like node_access() function instead..
Regardless of the solution, I think this function is totally messed up and I think it's good idea to fix it inside single issue, so closing this one.
See #1242854: node_gallery_get_gallery_list() and node_gallery_user_access() are totally messed up to continue