In Drupal Core 6.x, the query that built the admin/content/node page was passed through the node access system, and any node access module that implemented hook_db_rewrite_sql() could remove the API nodes from the page.

In 7.x, the query for that page isn't run through the node access system (there is no "node_access" tag added to the query). Instead, anyone with "view content overview" permission gets to see all published nodes.

This needs tests which need to be backported to D7. There's a node_test.module that implements some node access stuff afaik.

Commit credit should go to jhodgdon. Here's the patch we committed to D7.

Private tracker #: 72648

Files: 
CommentFileSizeAuthor
#12 1558478_12.patch1.77 KBchx
PASSED: [[SimpleTest]]: [MySQL] 39,352 pass(es).
[ View ]
#8 node-access-admin-content-1558478-7-tests-only.patch1.92 KBBerdir
FAILED: [[SimpleTest]]: [MySQL] 39,810 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
#8 node-access-admin-content-1558478-7.patch2.33 KBBerdir
PASSED: [[SimpleTest]]: [MySQL] 40,131 pass(es).
[ View ]
#6 drupal-1558478-6.patch422 bytestim.plunkett
PASSED: [[SimpleTest]]: [MySQL] 37,292 pass(es).
[ View ]
fix-node-access-admin-nodes-7x-do-not-test.patch402 byteswebchick

Comments

Issue tags:+Security improvements

Oops. And also...

Assigned:Unassigned» xjm

I'll work on this. I'm friends with the node access test module. :)

Are you still working on this? Critical bugs are currently above thresholds.

Should it even be marked critical? The security patch was already committed. This is just open for tests that need to be written.

This isn't committed to D8.

Status:Active» Needs review
StatusFileSize
new422 bytes
PASSED: [[SimpleTest]]: [MySQL] 37,292 pass(es).
[ View ]

Status:Needs review» Needs work

"This needs tests which need to be backported to D7. There's a node_test.module that implements some node access stuff afaik."

Status:Needs work» Needs review
StatusFileSize
new2.33 KB
PASSED: [[SimpleTest]]: [MySQL] 40,131 pass(es).
[ View ]
new1.92 KB
FAILED: [[SimpleTest]]: [MySQL] 39,810 pass(es), 1 fail(s), and 0 exception(s).
[ View ]

Ok, NodeQueryAlterTest might not be the perfect place, but it is very easy to extend them to check admin/content as well.

Status:Needs review» Reviewed & tested by the community

Couldn't be simpler.

Version:8.x-dev» 7.x-dev
Status:Reviewed & tested by the community» Patch (to be ported)

Awesome, THANKS.

Committed and pushed to 8.x. Needs a small re-roll for 7.x.

Status:Patch (to be ported)» Reviewed & tested by the community
StatusFileSize
new1.77 KB
PASSED: [[SimpleTest]]: [MySQL] 39,352 pass(es).
[ View ]

This only needs tests for D7 and the patch applied cleanly against node.test. If the bot comes back green it's good to go.

Status:Reviewed & tested by the community» Fixed

Yay! Committed and pushed to 7.x. Thanks!

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Assigned:xjm» Unassigned