[drupal-devel] Contributions: missing access checks
Negyesi Karoly
karoly at negyesi.net
Sat Jan 22 21:59:31 UTC 2005
> These modules don't use node_rewrite_sql() when joining against the
> node-table. They might need to be updated:
>
Might is the word. As I have said in the big thread fo node_rewrite_sql, I
am not absolutely sure that every query, just because it has {node} in it,
must go through the rewrite. node_load for example would simply break if
the query in $node = db_fetch_object(db_query(.... would be rewritten and
after the rewriting process the query would come back empty.
> The following modules still use node_access_join_sql() and/or
> node_access_where_sql():
>
> ./modules/upload.module
How this could be...? Oh shit, I forgot to include the upload.module patch
back when I was doing the big patch. OK, I'm submitting as a separate
issue...
NK
More information about the drupal-devel
mailing list