Problem: if somebody visits http://example.com/node/123invalid then the menu item for $entity_type/%/group is triggered, which has og_ui_get_group_admin() as access callback. That function receives the user supplied identifier from the menu system (in the example this would be "123invalid") and passes it on to further API functions without validation. This then results in an EntityMetadataWrapperException down the line.
EntityMetadataWrapperException: Invalid data value given. Be sure it matches the required data type and format. in EntityDrupalWrapper->set() (line 736 of entity/includes/entity.wrapper.inc).
Solution: either og_ui_get_group_admin() validates the identifier or we use an explicit access callback function that wraps og_ui_get_group_admin() and returns proper TRUE/FALSE values.
Comment | File | Size | Author |
---|---|---|---|
#3 | og-ui-admin-exception-2242237-3.patch | 1.47 KB | klausi |
#1 | og-ui-admin-exception-2242237-1.patch | 635 bytes | klausi |
Comments
Comment #1
klausiPatch attached.
TODO: test case.
Comment #2
amitaibu> TODO: test case.
Are you going to provide one? :)
Comment #3
klausiSure, as the test case is so easy for this one :-)
Not sure if that test class is the right place to put it, but I leave that to your judgment.
Comment #4
shushu CreditAttribution: shushu commentedI didn't get too much into the reason, but this patch has a strange effect.
Let's say I have a node 1 which is a group. without the patch going to
http://localhost/node/1junk
would have cause the ugly error message we want to avoid, but with the patch we actually get the node, as if we were usinghttp://localhost/node/1
.What I was expecting, and should happen, is that we will just get 403.
Comment #5
klausiThat is expected core behavior, even without OG.
Comment #6
shushu CreditAttribution: shushu commentedGood to know. Didn't expected that.
Comment #7
amitaibuCommitted, thanks.