[drupal-devel] [bug] Incorrect access checking for username auto
completion
moshe weitzman
drupal-devel at drupal.org
Tue Jul 5 18:55:20 UTC 2005
Issue status update for
http://drupal.org/node/24617
Post a follow up:
http://drupal.org/project/comments/add/24617
Project: Drupal
Version: cvs
Component: node.module
Category: bug reports
Priority: normal
Assigned to: Anonymous
Reported by: drumm
Updated by: moshe weitzman
Status: patch
I think some are compounding two separate idea. In my mind, the username
autocomplete callback needs a very minimal permission like 'view user
profile'. And that callback belongs in user.module.
The decision about showing the author field and the responsibility for
validating its contents belong to node.module and comment.module (in
Dries' example).
moshe weitzman
Previous comments:
------------------------------------------------------------------------
June 8, 2005 - 19:36 : drumm
The auto completion for user name on node edit pages checks
user_access('administer users') when it should be something more like
node_access($node, 'edit').
------------------------------------------------------------------------
June 10, 2005 - 10:32 : Thox
-1
The current "Authored by" field is only for users "administer nodes"
permission.
------------------------------------------------------------------------
June 10, 2005 - 10:35 : Thox
Whoops, administer nodes != administer users. This makes things
different.
The true permission should be administer nodes... which almost suggests
that the autocomplete function should be part of node.module, not
user.module. It depends where else the autocomplete is used in the
future.
------------------------------------------------------------------------
June 10, 2005 - 10:57 : killes at www.drop.org
I think the function should stay in user.module, but node.module should
get a menu callback that utilizes it. This is not a problem as
user.module is a required module.
------------------------------------------------------------------------
June 10, 2005 - 14:40 : Thox
Attachment: http://drupal.org/files/issues/access.patch (1.55 KB)
Attached patch moves the menu entry from user.module into node.module
and fixes the permission check.
------------------------------------------------------------------------
July 5, 2005 - 13:24 : Dries
Say we wanted to make the Author-field on "edit comment" pages editable.
I think the permissions would clash, and you'd be able to by-pass
permissions if you have access to at least one (because they'd all
share the same callback). So, I don't think this solution is
sufficiently generic and possibly insecure. Not?
More information about the drupal-devel
mailing list