- Patch #1204658 by kbasarab, Berdir, tim.plunkett, webchick: remove node access base table fallback.
Dries
parent
1746681619
commit
d1cb1258d8
|
|
@ -528,6 +528,7 @@ function comment_get_recent($number = 10) {
|
||||||
$query = db_select('comment', 'c');
|
$query = db_select('comment', 'c');
|
||||||
$query->innerJoin('node', 'n', 'n.nid = c.nid');
|
$query->innerJoin('node', 'n', 'n.nid = c.nid');
|
||||||
$query->addTag('node_access');
|
$query->addTag('node_access');
|
||||||
|
$query->addMetaData('base_table', 'comment');
|
||||||
$comments = $query
|
$comments = $query
|
||||||
->fields('c')
|
->fields('c')
|
||||||
->condition('c.status', COMMENT_PUBLISHED)
|
->condition('c.status', COMMENT_PUBLISHED)
|
||||||
|
|
@ -860,6 +861,7 @@ function comment_get_thread(Node $node, $mode, $comments_per_page) {
|
||||||
->condition('c.nid', $node->nid)
|
->condition('c.nid', $node->nid)
|
||||||
->addTag('node_access')
|
->addTag('node_access')
|
||||||
->addTag('comment_filter')
|
->addTag('comment_filter')
|
||||||
|
->addMetaData('base_table', 'comment')
|
||||||
->addMetaData('node', $node)
|
->addMetaData('node', $node)
|
||||||
->limit($comments_per_page);
|
->limit($comments_per_page);
|
||||||
|
|
||||||
|
|
@ -869,6 +871,7 @@ function comment_get_thread(Node $node, $mode, $comments_per_page) {
|
||||||
->condition('c.nid', $node->nid)
|
->condition('c.nid', $node->nid)
|
||||||
->addTag('node_access')
|
->addTag('node_access')
|
||||||
->addTag('comment_filter')
|
->addTag('comment_filter')
|
||||||
|
->addMetaData('base_table', 'comment')
|
||||||
->addMetaData('node', $node);
|
->addMetaData('node', $node);
|
||||||
|
|
||||||
if (!user_access('administer comments')) {
|
if (!user_access('administer comments')) {
|
||||||
|
|
|
||||||
|
|
@ -679,7 +679,8 @@ function forum_block_save($delta = '', $edit = array()) {
|
||||||
function forum_block_view($delta = '') {
|
function forum_block_view($delta = '') {
|
||||||
$query = db_select('forum_index', 'f')
|
$query = db_select('forum_index', 'f')
|
||||||
->fields('f')
|
->fields('f')
|
||||||
->addTag('node_access');
|
->addTag('node_access')
|
||||||
|
->addMetaData('base_table', 'forum_index');
|
||||||
switch ($delta) {
|
switch ($delta) {
|
||||||
case 'active':
|
case 'active':
|
||||||
$title = t('Active forum topics');
|
$title = t('Active forum topics');
|
||||||
|
|
@ -928,6 +929,7 @@ function forum_get_topics($tid, $sortby, $forum_per_page) {
|
||||||
$query
|
$query
|
||||||
->condition('f.tid', $tid)
|
->condition('f.tid', $tid)
|
||||||
->addTag('node_access')
|
->addTag('node_access')
|
||||||
|
->addMetaData('base_table', 'forum_index')
|
||||||
->orderBy('f.sticky', 'DESC')
|
->orderBy('f.sticky', 'DESC')
|
||||||
->orderByHeader($forum_topic_list_header)
|
->orderByHeader($forum_topic_list_header)
|
||||||
->limit($forum_per_page);
|
->limit($forum_per_page);
|
||||||
|
|
@ -936,6 +938,7 @@ function forum_get_topics($tid, $sortby, $forum_per_page) {
|
||||||
$count_query->condition('f.tid', $tid);
|
$count_query->condition('f.tid', $tid);
|
||||||
$count_query->addExpression('COUNT(*)');
|
$count_query->addExpression('COUNT(*)');
|
||||||
$count_query->addTag('node_access');
|
$count_query->addTag('node_access');
|
||||||
|
$count_query->addMetaData('base_table', 'forum_index');
|
||||||
|
|
||||||
$query->setCountQuery($count_query);
|
$query->setCountQuery($count_query);
|
||||||
$result = $query->execute();
|
$result = $query->execute();
|
||||||
|
|
|
||||||
|
|
@ -3258,10 +3258,9 @@ function _node_query_node_access_alter($query, $type) {
|
||||||
|
|
||||||
$tables = $query->getTables();
|
$tables = $query->getTables();
|
||||||
$base_table = $query->getMetaData('base_table');
|
$base_table = $query->getMetaData('base_table');
|
||||||
// If no base table is specified explicitly, search for one.
|
// If the base table is not given, default to node if present.
|
||||||
if (!$base_table) {
|
if (!$base_table) {
|
||||||
$fallback = '';
|
foreach ($tables as $table_info) {
|
||||||
foreach ($tables as $alias => $table_info) {
|
|
||||||
if (!($table_info instanceof SelectInterface)) {
|
if (!($table_info instanceof SelectInterface)) {
|
||||||
$table = $table_info['table'];
|
$table = $table_info['table'];
|
||||||
// If the node table is in the query, it wins immediately.
|
// If the node table is in the query, it wins immediately.
|
||||||
|
|
@ -3269,38 +3268,11 @@ function _node_query_node_access_alter($query, $type) {
|
||||||
$base_table = $table;
|
$base_table = $table;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
// Check whether the table has a foreign key to node.nid. If it does,
|
|
||||||
// do not run this check again as we found a base table and only node
|
|
||||||
// can triumph that.
|
|
||||||
if (!$base_table) {
|
|
||||||
// The schema is cached.
|
|
||||||
$schema = drupal_get_schema($table);
|
|
||||||
if (isset($schema['fields']['nid'])) {
|
|
||||||
if (isset($schema['foreign keys'])) {
|
|
||||||
foreach ($schema['foreign keys'] as $relation) {
|
|
||||||
if ($relation['table'] === 'node' && $relation['columns'] === array('nid' => 'nid')) {
|
|
||||||
$base_table = $table;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
// At least it's a nid. A table with a field called nid is very
|
|
||||||
// very likely to be a node.nid in a node access query.
|
|
||||||
$fallback = $table;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// If there is nothing else, use the fallback.
|
// Bail out if the base table is missing.
|
||||||
if (!$base_table) {
|
if (!$base_table) {
|
||||||
if ($fallback) {
|
throw new Exception(t('Query tagged for node access but there is no node table, specify the base_table using meta data.'));
|
||||||
watchdog('security', 'Your node listing query is using @fallback as a base table in a query tagged for node access. This might not be secure and might not even work. Specify foreign keys in your schema to node.nid ', array('@fallback' => $fallback), WATCHDOG_WARNING);
|
|
||||||
$base_table = $fallback;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
throw new Exception(t('Query tagged for node access but there is no nid. Add foreign keys to node.nid in schema to fix.'));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -228,6 +228,7 @@ function taxonomy_select_nodes($tid, $pager = TRUE, $limit = FALSE, $order = arr
|
||||||
}
|
}
|
||||||
$query = db_select('taxonomy_index', 't');
|
$query = db_select('taxonomy_index', 't');
|
||||||
$query->addTag('node_access');
|
$query->addTag('node_access');
|
||||||
|
$query->addMetaData('base_table', 'taxonomy_index');
|
||||||
$query->condition('tid', $tid);
|
$query->condition('tid', $tid);
|
||||||
if ($pager) {
|
if ($pager) {
|
||||||
$count_query = clone $query;
|
$count_query = clone $query;
|
||||||
|
|
|
||||||
|
|
@ -39,6 +39,7 @@ function tracker_page($account = NULL, $set_title = FALSE) {
|
||||||
// while keeping the correct order.
|
// while keeping the correct order.
|
||||||
$nodes = $query
|
$nodes = $query
|
||||||
->addTag('node_access')
|
->addTag('node_access')
|
||||||
|
->addMetaData('base_table', 'tracker_node')
|
||||||
->fields('t', array('nid', 'changed'))
|
->fields('t', array('nid', 'changed'))
|
||||||
->condition('t.published', 1)
|
->condition('t.published', 1)
|
||||||
->orderBy('t.changed', 'DESC')
|
->orderBy('t.changed', 'DESC')
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue