[drupal-devel] [bug] user_access returns invalid data

javanaut drupal-devel at drupal.org
Fri Feb 4 01:24:16 UTC 2005

 Project:      Drupal
 Version:      4.5.0
 Component:    user.module
 Category:     bug reports
 Priority:     critical
 Assigned to:  javanaut
 Reported by:  javanaut
 Updated by:   javanaut
 Status:       patch

Heh, after posting that, I realized what I had done, but never got back
around to simplifying it.  Good eye.


Previous comments:

February 3, 2005 - 15:32 : javanaut

Attachment: http://drupal.org/files/issues/user_access_bug.patch (473 bytes)

The user_access function in user.module returns the results of the
*strstr()* function, which returns a string, not a Boolean like the
documentation suggests.  This was screwing things up for me since
flexinode relies on user_access for it's node_access('create'..)
The attached patch uses strpos instead of strstr.  It was created from
a 4.5 codebase, but I noticed that the same issue is in HEAD as well. 
I'm using it on my dev site, and node_access('create'..) calls are now
working properly and nothing I'm using seems to have any problems with


February 3, 2005 - 17:20 : Anonymous

+  return strpos($perm[$account->uid], "$string, ") !== FALSE ? TRUE :
could be written more simply as
+  return strpos($perm[$account->uid], "$string, ") !== FALSE;
Keep in mind it's also possible to type-cast the result of strstr to a
boolean value (i.e. return (bool) strstr($perm[$account->uid],
"$string, ");)... I am unsure as to whether strstr or strpos would be
faster... perhaps a quick benchmark could answer the question of which
we should use.

View: http://drupal.org/node/16705
Edit: http://drupal.org/project/comments/add/16705

More information about the drupal-devel mailing list