Node Path Permissions Module (mm_tweaks)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Node Path Permissions Module (mm_tweaks)

Jay Dansand
Piggybacking on yesterday's discussion of node permissions, we noticed last week that because of how monster_menus_menu_alter() works, access callbacks for node paths don't always end up running through mm_content_user_can_node() or an equivalent.  Most of the time they do (thanks in part to MM's hook_node_access() implementation), but some poorly written 3rd-party modules don't use node_access() like they ought, so they slip through the cracks.  For example, Feeds and Panels expose node/%/foo/bar paths, which MM copies (with their original access callbacks) into mm/%/node/%/foo/bar.  Those new paths (e.g. mm/7/node/9999/import) may allow access even if the user does not have access to view the page or node itself.  I singled out Feeds and Panels, but I'm sure there are other such modules.

In response, we've added https://github.com/jaydansand/mm_tweaks/tree/master/mm_ensure_node_access_check to mm_tweaks. This module implements hook_mm_menu_alter() to find node/% paths and guarantee that (in addition to their original access callback) all of them at least have MM_PERMS_READ checked (though the actual permission required for a given path can be changed by implementing hook_mm_ensure_node_access_check_perm_alter()).

Just an FYI in case anyone has run into similar problems with 3rd-party modules and wants a quick fix.

-- 
Jay Dansand '08
Senior Web Application Developer
Technology Services, Seeley G. Mudd Library
Lawrence University
Appleton, WI
920-832-6585
[hidden email]



---
You are currently subscribed to monster_menus as: [hidden email].
To unsubscribe click here: http://lists.middlebury.edu/u?id=685503.6b071f880fe6a965a128164e6d09ea81&n=T&l=monster_menus&o=704408
or send a blank email to [hidden email]
Loading...