[drupal-devel] [bug] Popular Content block shows restricted content

ankur drupal-devel at drupal.org
Thu Apr 21 22:38:33 UTC 2005

Issue status update for http://drupal.org/node/20391

 Project:      Drupal
 Version:      cvs
 Component:    statistics.module
 Category:     bug reports
 Priority:     critical
 Assigned to:  Anonymous
 Reported by:  menesis
 Updated by:   ankur
 Status:       patch


The node_privacy_byrole module in contribs makes changes to the
node_access table that get ignored by the title listings generated by
statistics.module's popular content listings.  This is because the
queries used to generate the listings don't check permissions on a JOIN
to the node_access table as they should.  The problem came to my
attention in the issues queue for node_privacy_byrole:

The patch changes the query so that it calls db_rewrite_sql() which in
turn calls node_db_rewrite_sql() which is the function that inserts the
node_access check into the query.



Previous comments:

April 12, 2005 - 19:34 : menesis

Attachment: http://drupal.org/files/issues/popular_content_access.patch (1.02 KB)

Popular Content block does not respect node-level permissions, so shows
titles of nodes which the user can't access. This one-line patch for
Drupal 4.6 adds the missing db_rewrite call.

More information about the drupal-devel mailing list