[drupal-devel] [bug] user_access returns invalid data

Anonymous drupal-devel at drupal.org
Thu Feb 3 23:20:03 UTC 2005

 Project:      Drupal
-Version:      <none>
+Version:      4.5.0
 Component:    user.module
 Category:     bug reports
 Priority:     critical
 Assigned to:  javanaut
 Reported by:  javanaut
 Updated by:   Anonymous
 Status:       patch

+  return strpos($perm[$account->uid], "$string, ") !== FALSE ? TRUE :
could be written more simply as
+  return strpos($perm[$account->uid], "$string, ") !== FALSE;
Keep in mind it's also possible to type-cast the result of strstr to a
boolean value (i.e. return (bool) strstr($perm[$account->uid],
"$string, ");)... I am unsure as to whether strstr or strpos would be
faster... perhaps a quick benchmark could answer the question of which
we should use.


Previous comments:

February 3, 2005 - 21:32 : javanaut

Attachment: http://drupal.org/files/issues/user_access_bug.patch (473 bytes)

The user_access function in user.module returns the results of the
*strstr()* function, which returns a string, not a Boolean like the
documentation suggests.  This was screwing things up for me since
flexinode relies on user_access for it's node_access('create'..)
The attached patch uses strpos instead of strstr.  It was created from
a 4.5 codebase, but I noticed that the same issue is in HEAD as well. 
I'm using it on my dev site, and node_access('create'..) calls are now
working properly and nothing I'm using seems to have any problems with

View: http://drupal.org/node/16705
Edit: http://drupal.org/project/comments/add/16705

More information about the drupal-devel mailing list