[drupal-devel] [bug] Popular Content block shows restricted content
ankur
drupal-devel at drupal.org
Thu Apr 21 22:38:33 UTC 2005
Issue status update for http://drupal.org/node/20391
Project: Drupal
Version: cvs
Component: statistics.module
Category: bug reports
Priority: critical
Assigned to: Anonymous
Reported by: menesis
Updated by: ankur
Status: patch
+1
The node_privacy_byrole module in contribs makes changes to the
node_access table that get ignored by the title listings generated by
statistics.module's popular content listings. This is because the
queries used to generate the listings don't check permissions on a JOIN
to the node_access table as they should. The problem came to my
attention in the issues queue for node_privacy_byrole:
http://drupal.org/node/16243
The patch changes the query so that it calls db_rewrite_sql() which in
turn calls node_db_rewrite_sql() which is the function that inserts the
node_access check into the query.
-Ankur
ankur
Previous comments:
------------------------------------------------------------------------
April 12, 2005 - 19:34 : menesis
Attachment: http://drupal.org/files/issues/popular_content_access.patch (1.02 KB)
Popular Content block does not respect node-level permissions, so shows
titles of nodes which the user can't access. This one-line patch for
Drupal 4.6 adds the missing db_rewrite call.
More information about the drupal-devel
mailing list