Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Should do an exact match on perm, not substring. I also just cleaned up default perms to make a little more sense.
Comment | File | Size | Author |
---|---|---|---|
#2 | user.perm__0.patch | 1.57 KB | RobRoy |
user.perm_.patch | 1.04 KB | RobRoy | |
Comments
Comment #1
RobRoy CreditAttribution: RobRoy commentedWhoops, didn't really test this. It's still an issue, but lemme get a working patch. :D
Comment #2
RobRoy CreditAttribution: RobRoy commentedOkay, working patch. This is a potential security hole / oversight. Imagine a perm 'minister' or something. Then all those ministers can 'administer nodes'! :P
Should I set a variable to isset($permission) or is isset just as fast? I'm open to reorganizing this code if someone thinks it yucky.
Comment #3
Anonymous (not verified) CreditAttribution: Anonymous commentedThe
if (isset($permission))
doesn't work since $permission is always set. I suggest changing the default to FALSE and usingif ($permission !== FALSE)
instead.Comment #4
RobRoy CreditAttribution: RobRoy commentedSorry, you're wrong. Something set to NULL is actually "unset" in PHP's eyes. Please see http://us.php.net/manual/en/types.comparisons.php or test the code in PHP yourself.
Comment #5
Anonymous (not verified) CreditAttribution: Anonymous commented@RobRoy: Thanks for the reference to the documentation and sorry for the misinformation.
The patch looks good, I'm not setup yet to test though.
Comment #6
TR CreditAttribution: TR commentedThe method signature and the check on !empty($permissions) were already addressed in commits a816fead and b17cd3b6.
The promiscuous matching of permission name is still in there - I don't know whether this was by design or not, but it *has* been removed in Drupal 7 where an exact match is now required. Leaving this open as a Drupal 6.x issue.