chx, I wrote that note this morning then went to work and realized that node_access can't control create.<br><br>Sorry.<br><br>But I'm skipping through the thread, so should probably go back to painting my kitchen.
<br><br>- Ken<br><br><br><div><span class="gmail_quote">On 8/28/07, <b class="gmail_sendername">Ron Parker</b> <<a href="mailto:sysop@scbbs.com">sysop@scbbs.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"><span class="q">
<pre>On Aug 28, 2007, at 4:04 AM, Karoly Negyesi wrote:<br><br>> Changing user_access could lead to very obscure and hard to debug <br><span>> </span>priviledge escalation holes: some code may make presumptions about
<br><span>> </span>if a page is allowed by menu then certain permissions are set which <br><span>> </span>might not be true if you fiddle with roles on the fly. Saying that <br><span>> </span>this does not happen currently won't change the fact that it could.
<br></pre></span>
<pre>Let me again make it crystal clear: The user_access() patch I submitted here <a href="http://drupal.org/node/170524" target="_self" onclick="return top.js.OpenExtLink(window,event,this)">http://drupal.org/node/170524
</a> does NOT change user roles or alter current user_access functionality or permissions in any way. It simply resets the permissions calculated by user_access. It clears the cache. AND, it's optional! You have to send the command: user_access('', NULL, TRUE) in order for it to execute, otherwise, user_access is not affected at all. So, if you don't need it, you don't use it.
<br><br>> Just overdefine the menu item that you want to change and define <br><span class="q"><span>> </span>your access mechanism. Because node/add is defined as cached you <br><span>> </span>can put your menu definiton in !$may_cache with the same path -- it
<br><span>> </span></span>will overwrite the original definition. In Drupal 6, you want to do a<br><br>The OG User Roles (OGR) module basically performs most of the functionality most users need it to do now, and with no patches to the core module, and no "overdefinitions" in hook_menu. It utilizes $user->roles because that's what $user->roles was designed to do: Tell you what permissions a user has. This whole current issue arose because I discovered user_access() was caching permissions and thus causing a problem with OGR and the
upload.module. And, there was no way to clear this cache like there is practically everywhere else in Drupal. I further realized that this same issue had caused compatibility problems with the BuddyList, OG Forum and Relativity modules which, as you suggested, I wrote around to resolve.
<br><br>However, at some point, it seems ridiculous to keep trying to write customized code for every module where I have this problem when the simple solution is to reset the cache, a rather harmless option that should be available everywhere that Drupal creates a cache (including user_access()).
<br><br>I know you don't want to support role changes on the fly, but killing Peter to spite Paul doesn't seem like a logical way to do it.<br><br>-ron<br></pre><span class="q">
<pre cols="72">-- <br>Ron Parker<br>Software Creations <a href="http://www.scbbs.com" target="_self" onclick="return top.js.OpenExtLink(window,event,this)">http://www.scbbs.com</a>
Self-Administration Web Site <a href="http://saw.scbbs.com" target="_self" onclick="return top.js.OpenExtLink(window,event,this)">http://saw.scbbs.com</a>
SDSS Subscription Mgmt Service <a href="http://sdss.scbbs.com" target="_self" onclick="return top.js.OpenExtLink(window,event,this)">http://sdss.scbbs.com</a>
Central Ave Dance Ensemble <a href="http://www.centralavedance.com" target="_self" onclick="return top.js.OpenExtLink(window,event,this)">http://www.centralavedance.com</a>
R & B Salsa <a href="http://www.randbsalsa.com" target="_self" onclick="return top.js.OpenExtLink(window,event,this)">http://www.randbsalsa.com</a>
</pre>
</span></div>
</blockquote></div><br>