msonnabaum pointed out that we have roughly 2x the number of db placeholders in views that display Message entities as compared to views that display nodes. For example: the highest db_placeholder as reported by devel query log on a test site by view base table:

message:
:db_condition_placeholder_28)
node:
db_condition_placeholder_12

What's interesting is that message views seem to get the number of placeholders as the node view times two, plus some number. Eg, 12*2 = 24 + 4 = 8.

CommentFileSizeAuthor
#1 2206099-commons-node-access-dupe-clauses-1.patch6.49 KBezra-g

Comments

ezra-g’s picture

ezra-g commented
Status: Active » Needs review
StatusFileSize
new 2206099-commons-node-access-dupe-clauses-1.patch6.49 KB

I believe this problem was introduced with #1797462: Enforce node access restrictions on Activity stream entires. The cause appears to be that we added both the "content access" filter and the "published or admin filter" when only the "published or admin" filter was necessary to enforce node access, since Drupal Core's node module is able to detect that we're joining against the node table for these views.

If there were a view with message as the base table that did not join against the node table (which seems possible if we only joined against the table used to *reference* nodes such as field_data_field_target_nodes), then the content access filter would be necessary.

Here's a patch to remove the duplicative filters and revert the updated views.

This needs rigorous functional testing.

japerry’s picture

japerry
Location KOMK
commented
Status: Needs review » Reviewed & tested by the community

I think we're good here! Ran the following test cases against the current system, and then again with the updb executed (which successfully reverted the view).

1) Setup non-admin and admin user
2) Create a private group with admin user
3) Post content within the private group
4) non-admin user cannot see group, nor activity related to group with visiting activity
5) User is added to private group
6) user can now see activity from the private group in the activity stream
7) user comments on private content
8) admin removes non-admin user from group
9) user cannot see comments or node from activity stream
10) anonymous users cannot see any content that is private.

Apply patch, retest. Success!

ezra-g’s picture

ezra-g commented
Status: Reviewed & tested by the community » Fixed

Thanks for the testing, japerry!

This is committed: http://drupalcode.org/project/commons.git/commit/ad678dd.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.