- Patch #1204658 by kbasarab, Berdir, tim.plunkett, webchick: remove node access base table fallback.
Dries
parent
1746681619
commit
d1cb1258d8
|
|
@ -528,6 +528,7 @@ function comment_get_recent($number = 10) {
|
|||
$query = db_select('comment', 'c');
|
||||
$query->innerJoin('node', 'n', 'n.nid = c.nid');
|
||||
$query->addTag('node_access');
|
||||
$query->addMetaData('base_table', 'comment');
|
||||
$comments = $query
|
||||
->fields('c')
|
||||
->condition('c.status', COMMENT_PUBLISHED)
|
||||
|
|
@ -860,6 +861,7 @@ function comment_get_thread(Node $node, $mode, $comments_per_page) {
|
|||
->condition('c.nid', $node->nid)
|
||||
->addTag('node_access')
|
||||
->addTag('comment_filter')
|
||||
->addMetaData('base_table', 'comment')
|
||||
->addMetaData('node', $node)
|
||||
->limit($comments_per_page);
|
||||
|
||||
|
|
@ -869,6 +871,7 @@ function comment_get_thread(Node $node, $mode, $comments_per_page) {
|
|||
->condition('c.nid', $node->nid)
|
||||
->addTag('node_access')
|
||||
->addTag('comment_filter')
|
||||
->addMetaData('base_table', 'comment')
|
||||
->addMetaData('node', $node);
|
||||
|
||||
if (!user_access('administer comments')) {
|
||||
|
|
|
|||
|
|
@ -679,7 +679,8 @@ function forum_block_save($delta = '', $edit = array()) {
|
|||
function forum_block_view($delta = '') {
|
||||
$query = db_select('forum_index', 'f')
|
||||
->fields('f')
|
||||
->addTag('node_access');
|
||||
->addTag('node_access')
|
||||
->addMetaData('base_table', 'forum_index');
|
||||
switch ($delta) {
|
||||
case 'active':
|
||||
$title = t('Active forum topics');
|
||||
|
|
@ -928,6 +929,7 @@ function forum_get_topics($tid, $sortby, $forum_per_page) {
|
|||
$query
|
||||
->condition('f.tid', $tid)
|
||||
->addTag('node_access')
|
||||
->addMetaData('base_table', 'forum_index')
|
||||
->orderBy('f.sticky', 'DESC')
|
||||
->orderByHeader($forum_topic_list_header)
|
||||
->limit($forum_per_page);
|
||||
|
|
@ -936,6 +938,7 @@ function forum_get_topics($tid, $sortby, $forum_per_page) {
|
|||
$count_query->condition('f.tid', $tid);
|
||||
$count_query->addExpression('COUNT(*)');
|
||||
$count_query->addTag('node_access');
|
||||
$count_query->addMetaData('base_table', 'forum_index');
|
||||
|
||||
$query->setCountQuery($count_query);
|
||||
$result = $query->execute();
|
||||
|
|
|
|||
|
|
@ -3258,10 +3258,9 @@ function _node_query_node_access_alter($query, $type) {
|
|||
|
||||
$tables = $query->getTables();
|
||||
$base_table = $query->getMetaData('base_table');
|
||||
// If no base table is specified explicitly, search for one.
|
||||
// If the base table is not given, default to node if present.
|
||||
if (!$base_table) {
|
||||
$fallback = '';
|
||||
foreach ($tables as $alias => $table_info) {
|
||||
foreach ($tables as $table_info) {
|
||||
if (!($table_info instanceof SelectInterface)) {
|
||||
$table = $table_info['table'];
|
||||
// If the node table is in the query, it wins immediately.
|
||||
|
|
@ -3269,38 +3268,11 @@ function _node_query_node_access_alter($query, $type) {
|
|||
$base_table = $table;
|
||||
break;
|
||||
}
|
||||
// Check whether the table has a foreign key to node.nid. If it does,
|
||||
// do not run this check again as we found a base table and only node
|
||||
// can triumph that.
|
||||
if (!$base_table) {
|
||||
// The schema is cached.
|
||||
$schema = drupal_get_schema($table);
|
||||
if (isset($schema['fields']['nid'])) {
|
||||
if (isset($schema['foreign keys'])) {
|
||||
foreach ($schema['foreign keys'] as $relation) {
|
||||
if ($relation['table'] === 'node' && $relation['columns'] === array('nid' => 'nid')) {
|
||||
$base_table = $table;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
// At least it's a nid. A table with a field called nid is very
|
||||
// very likely to be a node.nid in a node access query.
|
||||
$fallback = $table;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
// If there is nothing else, use the fallback.
|
||||
// Bail out if the base table is missing.
|
||||
if (!$base_table) {
|
||||
if ($fallback) {
|
||||
watchdog('security', 'Your node listing query is using @fallback as a base table in a query tagged for node access. This might not be secure and might not even work. Specify foreign keys in your schema to node.nid ', array('@fallback' => $fallback), WATCHDOG_WARNING);
|
||||
$base_table = $fallback;
|
||||
}
|
||||
else {
|
||||
throw new Exception(t('Query tagged for node access but there is no nid. Add foreign keys to node.nid in schema to fix.'));
|
||||
}
|
||||
throw new Exception(t('Query tagged for node access but there is no node table, specify the base_table using meta data.'));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -228,6 +228,7 @@ function taxonomy_select_nodes($tid, $pager = TRUE, $limit = FALSE, $order = arr
|
|||
}
|
||||
$query = db_select('taxonomy_index', 't');
|
||||
$query->addTag('node_access');
|
||||
$query->addMetaData('base_table', 'taxonomy_index');
|
||||
$query->condition('tid', $tid);
|
||||
if ($pager) {
|
||||
$count_query = clone $query;
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ function tracker_page($account = NULL, $set_title = FALSE) {
|
|||
// while keeping the correct order.
|
||||
$nodes = $query
|
||||
->addTag('node_access')
|
||||
->addMetaData('base_table', 'tracker_node')
|
||||
->fields('t', array('nid', 'changed'))
|
||||
->condition('t.published', 1)
|
||||
->orderBy('t.changed', 'DESC')
|
||||
|
|
|
|||
Loading…
Reference in New Issue