[drupal-devel] [bug] Incorrect access checking for username auto completion

Thox drupal-devel at drupal.org
Fri Jun 10 19:41:04 UTC 2005


Issue status update for http://drupal.org/node/24617

 Project:      Drupal
 Version:      cvs
 Component:    node.module
 Category:     bug reports
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  drumm
 Updated by:   Thox
-Status:       active
+Status:       patch
 Attachment:   http://drupal.org/files/issues/access.patch (1.55 KB)

Attached patch moves the menu entry from user.module into node.module
and fixes the permission check.




Thox



Previous comments:
------------------------------------------------------------------------

June 9, 2005 - 01:36 : drumm

The auto completion for user name on node edit pages checks
user_access('administer users') when it should be something more like 
node_access($node, 'edit').




------------------------------------------------------------------------

June 10, 2005 - 16:32 : Thox

-1


The current "Authored by" field is only for users "administer nodes"
permission.




------------------------------------------------------------------------

June 10, 2005 - 16:35 : Thox

Whoops, administer nodes != administer users. This makes things
different.


The true permission should be administer nodes... which almost suggests
that the autocomplete function should be part of node.module, not
user.module. It depends where else the autocomplete is used in the
future.




------------------------------------------------------------------------

June 10, 2005 - 16:57 : killes at www.drop.org

I think the function should stay in user.module, but node.module should
get a menu callback that utilizes it. This is not a problem as
user.module is a required module.







More information about the drupal-devel mailing list