Issue status update for http://drupal.org/node/19009 Project: Drupal Version: cvs Component: comment.module Category: bug reports Priority: critical Assigned to: chx Reported by: nazadus Updated by: Anonymous Status: patch The patch looks good now. I agree that centralizing the node_access checking should be another task. This patch is needed now and should also be backported to the 4.5 branch. Gerhard Anonymous Previous comments: ------------------------------------------------------------------------ March 16, 2005 - 19:39 : nazadus I believe I have found a bug. If you goto http://www.etherpunk.com/comment/reply/180 (possibly NSFW) it allows you to view the posting (while you don't have permission to actually post, it still allows the page to get displayed). I found this out by using awstats on my box and found that a hidden page was getting hit fairly common that I really don't want getting shown (well, it's on the web, I know... but... I'd rather have more controlled access). Does this belong in the comment section for not obeying TAC? Can anyone confirm this on their site? Kenny ------------------------------------------------------------------------ March 16, 2005 - 20:02 : pyromanfo That's definitely something you need to take up with the comment module guys. It's not just taxonomy access control either, it's the core node_access hooks in Drupal. If they'll just check that before displaying a node for reply, that'd fix it no problem. ------------------------------------------------------------------------ March 16, 2005 - 20:20 : moshe weitzman filed under comment.module ... note that my big comment patch gets rid of this page entirely (consolidates under comment/edit) so it might make sense to apply my patch instead of fixing this. ------------------------------------------------------------------------ March 20, 2005 - 02:14 : chx Attachment: http://drupal.org/files/issues/comment_reply_access.patch (1.36 KB) moshe , http://drupal.org/node/18656 this does not seem to affect the permissions of the comment/reply path. I think the approach I have taken is blatantly simple: literally check for access. ------------------------------------------------------------------------ March 20, 2005 - 02:24 : chx Attachment: http://drupal.org/files/issues/comment_reply_access_0.patch (1.51 KB) ------------------------------------------------------------------------ March 20, 2005 - 02:37 : chx Attachment: http://drupal.org/files/issues/comment_reply_access_1.patch (1.56 KB) ------------------------------------------------------------------------ March 20, 2005 - 02:38 : chx Attachment: http://drupal.org/files/issues/comment_reply_access_2.patch (1.56 KB) ------------------------------------------------------------------------ March 20, 2005 - 08:48 : Anonymous The discovery of this patch makes me wonder, whether we shouldn't centralize the access controll a bit more. If a core module can show this kind of bug, contrib modules will almost certainly. I propose to do a node_access() check inside node_load. Gerhard ------------------------------------------------------------------------ March 20, 2005 - 09:03 : Anonymous I also don't think that the patch is working. node_access(arg(2)) should probably be node_access('view', $node) and the node needs loading before. Gerhard ------------------------------------------------------------------------ March 20, 2005 - 09:28 : chx Attachment: http://drupal.org/files/issues/comment_reply_access_3.patch (1.61 KB) OK, patch corrected. I think adding node_access to node_load would break havoc 'cos there are some routines (even in core) which do not check whether the node_load was successful or not. This is a whole another topic, please make another issue. What we need, IMHO is to patch this quickly... ------------------------------------------------------------------------ March 20, 2005 - 09:31 : chx Attachment: http://drupal.org/files/issues/comment_reply_access_4.patch (1.65 KB) I also forgot to check whether node_load was successful or not... ------------------------------------------------------------------------ March 20, 2005 - 09:31 : chx Attachment: http://drupal.org/files/issues/comment_reply_access_5.patch (1.65 KB)