Node Path Permissions Module (mm_tweaks)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

Node Path Permissions Module (mm_tweaks)

Jay Dansand
Piggybacking on yesterday's discussion of node permissions, we noticed last week that because of how monster_menus_menu_alter() works, access callbacks for node paths don't always end up running through mm_content_user_can_node() or an equivalent.  Most of the time they do (thanks in part to MM's hook_node_access() implementation), but some poorly written 3rd-party modules don't use node_access() like they ought, so they slip through the cracks.  For example, Feeds and Panels expose node/%/foo/bar paths, which MM copies (with their original access callbacks) into mm/%/node/%/foo/bar.  Those new paths (e.g. mm/7/node/9999/import) may allow access even if the user does not have access to view the page or node itself.  I singled out Feeds and Panels, but I'm sure there are other such modules.

In response, we've added to mm_tweaks. This module implements hook_mm_menu_alter() to find node/% paths and guarantee that (in addition to their original access callback) all of them at least have MM_PERMS_READ checked (though the actual permission required for a given path can be changed by implementing hook_mm_ensure_node_access_check_perm_alter()).

Just an FYI in case anyone has run into similar problems with 3rd-party modules and wants a quick fix.

Jay Dansand '08
Senior Web Application Developer
Technology Services, Seeley G. Mudd Library
Lawrence University
Appleton, WI
[hidden email]

You are currently subscribed to monster_menus as: [hidden email].
To unsubscribe click here:
or send a blank email to [hidden email]