Although I'm not sure I share your view, I can certainly respect your opinion here. At one point in time. Ron is bumping up against hard limits on node_access which currently does not allow for value based security to be attached to a node add event. On the issue in question, several alternatives were debated, but none got any traction. All have suggested node_access revamp. Which is a much bigger issue. That being said, the static caching of mechanism of user_cache will affect any module that tries to elevate roles behind the scenes whether temporary or permanently. These are potential issues for other modules such as LDAP groups or others that seek to set role membership based on a login event without user intervention. I think that having control over a cache mechanism is not an unreasonable request. Or stated in another way, I'm not sure that giving developers control over a cache mechanism is a security concern. So yes, I noticed, but this seemed like the most secure of the options that I've seen IMHO. Time will tell wether core commit team agrees. Dave On Aug 25, 2007, at 1:52 AM, Gerhard Killesreiter wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
David Metzler schrieb:
The permissions (user roles) are being altered temporarily. The reasons are documented in the issue Ron has referenced.
I've said it once and I say it again since apparently nobody noticed:
Temporarily changing user roles (per page request) is (currently) unsupported by Drupal.
I'd even argue that it shouldn't be supported and that what Ron is doing should be achieved in another way.
Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGz9tkfg6TFvELooQRAu7yAKCHUg0KbF+Aj0l5VsE4Nmn6cTUTmgCgo39m G+VDt5ihnhiN7eEGKXg9lX8= =llJu -----END PGP SIGNATURE-----