Commit 202eee42 authored by Dries's avatar Dries

- Patch #9543 by JonBob: added node-level access control!
parent aed1b0ca
Drupal x.x.x, xxxx-xx-xx
------------------------
- navigation:
* made it possible to add, delete, rename and move menu items.
* introduced tabs and subtabs for local tasks.
......@@ -8,7 +7,9 @@ Drupal x.x.x, xxxx-xx-xx
- user management:
* added support for multiple roles per user.
* made it possible to add custom profile fields.
* made it possible to browse the profiles by field.
* made it possible to browse user profiles by field.
- node system:
* added support for node-level permissions.
- comment module:
* made it possible to comment without having to register.
- forum module:
......@@ -17,7 +18,8 @@ Drupal x.x.x, xxxx-xx-xx
- syndication:
* added support for RSS ping-notifications of http://technorati.com/.
* refactored the categorization of syndicated news items.
* added URL aliases for 'rss.xml' and 'index.rdf'.
* added an URL alias for 'rss.xml'.
* improved date parsing.
- database backend:
* added support for multiple database connections.
- theme system:
......@@ -27,8 +29,6 @@ Drupal x.x.x, xxxx-xx-xx
* added 'categories' block.
- blogger API:
* added support for auto-discovery of blogger API via RSD.
- news aggregator:
* improved date parsing.
- performance:
* added support for sending gzip compressed pages.
- accessibility:
......@@ -38,22 +38,16 @@ Drupal x.x.x, xxxx-xx-xx
- documentation:
* added PHPDoc/Doxygen comments.
Drupal 4.4.2, 2004-07-04
------------------------
- fixed bugs: no critical bugs were identified.
Drupal 4.4.1, 2004-05-01
------------------------
- fixed bugs: no critical bugs were identified.
Drupal 4.4.0, 2004-04-01
------------------------
- added support for the MetaWeblog API and MovableType extensions.
- added a file API: enables better document management.
- improved the watchdog and search module to log search keys.
......@@ -92,22 +86,16 @@ Drupal 4.4.0, 2004-04-01
- documentation:
* added PHPDoc/Doxygen comments.
Drupal 4.3.2, 2004-01-01
------------------------
- fixed bugs: no critical bugs were identified.
Drupal 4.3.1, 2003-12-01
------------------------
- fixed bugs: no critical bugs were identified.
Drupal 4.3.0, 2003-11-01
------------------------
- added support for configurable URLs.
- added support for sortable table columns.
- database backend:
......@@ -131,7 +119,6 @@ Drupal 4.3.0, 2003-11-01
Drupal 4.2.0, 2003-08-01
------------------------
- added support for clean URLs.
- added textarea hook and support for onload attributes: enables integration of WYSIWYG editors.
- rewrote the RSS/RDF parser:
......@@ -159,7 +146,6 @@ Drupal 4.2.0, 2003-08-01
Drupal 4.1.0, 2003-02-01
------------------------
- collaboratively revised and expanded the Drupal documentation.
- rewrote comment.module:
* reintroduced comment rating/moderation.
......@@ -214,12 +200,11 @@ Drupal 4.0.0, 2002-06-15
* blocks can be set to only show up on some pages.
* merged box module with block module.
- node system:
* fixed node retrieval based on titles.
* blogs can be updated.
* teasers (abstracts) on all node types.
* improved error checking.
* usability improvements.
* content versioning support.
* usability improvements.
- improved book module to support text, HTML and PHP pages.
- improved comment module to mark new comments.
- added a general outliner which will let any node type be linked to a book.
......
......@@ -339,7 +339,21 @@ CREATE TABLE node (
KEY node_changed (changed)
) TYPE=MyISAM;
--
#
# Table structure for table `node_access`
#
CREATE TABLE node_access (
nid int(10) unsigned NOT NULL default '0',
gid int(10) unsigned NOT NULL default '0',
realm varchar(255) NOT NULL default '',
grant_view tinyint(1) unsigned NOT NULL default '0',
grant_update tinyint(1) unsigned NOT NULL default '0',
grant_delete tinyint(1) unsigned NOT NULL default '0',
PRIMARY KEY (nid,gid,realm)
) TYPE=MyISAM;
-
-- Table structure for table 'page'
--
......@@ -682,3 +696,5 @@ REPLACE blocks SET module = 'user', delta = '0', status = '1';
REPLACE blocks SET module = 'user', delta = '1', status = '1';
INSERT INTO sequences (name, id) VALUES ('menu_mid', 1);
INSERT INTO node_access VALUES (0, 0, 'all', 1, 0, 0);
......@@ -65,7 +65,8 @@
"2004-06-30" => "update_91",
"2004-07-07" => "update_92",
"2004-07-11" => "update_93",
"2004-07-22" => "update_94"
"2004-07-22" => "update_94",
"2004-07-30" => "update_95"
);
function update_32() {
......@@ -1187,6 +1188,22 @@ function update_94() {
return $ret;
}
function update_95() {
$ret = array();
$ret[] = update_sql("CREATE TABLE node_access (
nid int(10) unsigned NOT NULL default '0',
gid int(10) unsigned NOT NULL default '0',
realm varchar(255) NOT NULL default '',
grant_view tinyint(1) unsigned NOT NULL default '0',
grant_update tinyint(1) unsigned NOT NULL default '0',
grant_delete tinyint(1) unsigned NOT NULL default '0',
PRIMARY KEY (nid,gid,realm)
)");
$ret[] = update_sql("INSERT INTO node_access VALUES (0, 0, 'all', 1, 0, 0);");
return $ret;
}
function update_sql($sql) {
$edit = $_POST["edit"];
$result = db_query($sql);
......
......@@ -248,7 +248,7 @@ function archive_page($year = 0, $month = 0, $day = 0) {
if ($year && $month && $day) {
// Fetch nodes for the selected date, if one was specified.
$result = db_query_range('SELECT nid FROM {node} WHERE status = 1 AND created > %d AND created < %d ORDER BY created', $date, $date_end, 0, 20);
$result = db_query_range('SELECT DISTINCT(n.nid) FROM {node} n '. node_access_join_sql() .' WHERE n.status = 1 AND n.created > %d AND n.created < %d AND '. node_access_where_sql() .' ORDER BY n.created', $date, $date_end, 0, 20);
while ($nid = db_fetch_object($result)) {
$output .= node_view(node_load(array('nid' => $nid->nid)), 1);
......
......@@ -248,7 +248,7 @@ function archive_page($year = 0, $month = 0, $day = 0) {
if ($year && $month && $day) {
// Fetch nodes for the selected date, if one was specified.
$result = db_query_range('SELECT nid FROM {node} WHERE status = 1 AND created > %d AND created < %d ORDER BY created', $date, $date_end, 0, 20);
$result = db_query_range('SELECT DISTINCT(n.nid) FROM {node} n '. node_access_join_sql() .' WHERE n.status = 1 AND n.created > %d AND n.created < %d AND '. node_access_where_sql() .' ORDER BY n.created', $date, $date_end, 0, 20);
while ($nid = db_fetch_object($result)) {
$output .= node_view(node_load(array('nid' => $nid->nid)), 1);
......
......@@ -30,22 +30,15 @@ function blog_perm() {
function blog_access($op, $node) {
global $user;
if ($op == 'view') {
return $node->status;
}
if ($op == 'create') {
return user_access('edit own blog') && $user->uid;
}
if ($op == 'update') {
return user_access('edit own blog') && ($user->uid == $node->uid);
}
if ($op == 'delete') {
return user_access('edit own blog') && ($user->uid == $node->uid);
if ($op == 'update' || $op == 'delete') {
if (user_access('edit own blog') && ($user->uid == $node->uid)) {
return TRUE;
}
}
}
/**
......@@ -143,7 +136,7 @@ function blog_page_user($uid) {
$title = t("%name's blog", array('%name' => $account->name));
$output = '';
$result = pager_query("SELECT nid FROM {node} WHERE type = 'blog' AND uid = %d AND status = 1 ORDER BY sticky DESC, created DESC", variable_get('default_nodes_main', 10), 0, NULL, $account->uid);
$result = pager_query('SELECT DISTINCT(n.nid) FROM {node} n '. node_access_join_sql() ." WHERE type = 'blog' AND n.uid = %d AND n.status = 1 AND ". node_access_where_sql() .' ORDER BY n.sticky DESC, n.created DESC', variable_get('default_nodes_main', 10), 0, NULL, $account->uid);
while ($node = db_fetch_object($result)) {
$output .= node_view(node_load(array('nid' => $node->nid)), 1);
}
......@@ -162,7 +155,7 @@ function blog_page_last() {
$output = '';
$result = pager_query("SELECT nid FROM {node} WHERE type = 'blog' AND status = 1 ORDER BY created DESC", variable_get('default_nodes_main', 10));
$result = pager_query('SELECT DISTINCT(n.nid) FROM {node} n '. node_access_join_sql() ." WHERE n.type = 'blog' AND n.status = 1 AND ". node_access_where_sql() .' ORDER BY n.created DESC', variable_get('default_nodes_main', 10));
while ($node = db_fetch_object($result)) {
$output .= node_view(node_load(array('nid' => $node->nid)), 1);
......@@ -294,7 +287,7 @@ function blog_block($op = 'list', $delta = 0) {
}
else {
if (user_access('access content')) {
$block['content'] = node_title_list(db_query_range("SELECT n.title, n.nid FROM {node} n WHERE n.type = 'blog' AND n.status = 1 ORDER BY n.created DESC", 0, 10));
$block['content'] = node_title_list(db_query_range('SELECT DISTINCT(n.nid), n.title FROM {node} n '. node_access_join_sql() ." WHERE n.type = 'blog' AND n.status = 1 AND ". node_access_where_sql() .' ORDER BY n.created DESC', 0, 10));
$block['content'] .= '<div class="more-link">'. l(t('more'), 'blog', array('title' => t('Read the latest blog entries.'))) .'</div>';
$block['subject'] = t('Recent blog posts');
}
......
......@@ -30,22 +30,15 @@ function blog_perm() {
function blog_access($op, $node) {
global $user;
if ($op == 'view') {
return $node->status;
}
if ($op == 'create') {
return user_access('edit own blog') && $user->uid;
}
if ($op == 'update') {
return user_access('edit own blog') && ($user->uid == $node->uid);
}
if ($op == 'delete') {
return user_access('edit own blog') && ($user->uid == $node->uid);
if ($op == 'update' || $op == 'delete') {
if (user_access('edit own blog') && ($user->uid == $node->uid)) {
return TRUE;
}
}
}
/**
......@@ -143,7 +136,7 @@ function blog_page_user($uid) {
$title = t("%name's blog", array('%name' => $account->name));
$output = '';
$result = pager_query("SELECT nid FROM {node} WHERE type = 'blog' AND uid = %d AND status = 1 ORDER BY sticky DESC, created DESC", variable_get('default_nodes_main', 10), 0, NULL, $account->uid);
$result = pager_query('SELECT DISTINCT(n.nid) FROM {node} n '. node_access_join_sql() ." WHERE type = 'blog' AND n.uid = %d AND n.status = 1 AND ". node_access_where_sql() .' ORDER BY n.sticky DESC, n.created DESC', variable_get('default_nodes_main', 10), 0, NULL, $account->uid);
while ($node = db_fetch_object($result)) {
$output .= node_view(node_load(array('nid' => $node->nid)), 1);
}
......@@ -162,7 +155,7 @@ function blog_page_last() {
$output = '';
$result = pager_query("SELECT nid FROM {node} WHERE type = 'blog' AND status = 1 ORDER BY created DESC", variable_get('default_nodes_main', 10));
$result = pager_query('SELECT DISTINCT(n.nid) FROM {node} n '. node_access_join_sql() ." WHERE n.type = 'blog' AND n.status = 1 AND ". node_access_where_sql() .' ORDER BY n.created DESC', variable_get('default_nodes_main', 10));
while ($node = db_fetch_object($result)) {
$output .= node_view(node_load(array('nid' => $node->nid)), 1);
......@@ -294,7 +287,7 @@ function blog_block($op = 'list', $delta = 0) {
}
else {
if (user_access('access content')) {
$block['content'] = node_title_list(db_query_range("SELECT n.title, n.nid FROM {node} n WHERE n.type = 'blog' AND n.status = 1 ORDER BY n.created DESC", 0, 10));
$block['content'] = node_title_list(db_query_range('SELECT DISTINCT(n.nid), n.title FROM {node} n '. node_access_join_sql() ." WHERE n.type = 'blog' AND n.status = 1 AND ". node_access_where_sql() .' ORDER BY n.created DESC', 0, 10));
$block['content'] .= '<div class="more-link">'. l(t('more'), 'blog', array('title' => t('Read the latest blog entries.'))) .'</div>';
$block['subject'] = t('Recent blog posts');
}
......
......@@ -371,7 +371,7 @@ function book_prev($node) {
*/
function book_next($node) {
// get first direct child
$child = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') ORDER BY b.weight ASC, n.title ASC", $node->nid));
$child = db_fetch_object(db_query("SELECT DISTINCT(n.nid), n.title FROM {node} n ". node_access_join_sql() ." INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND ". node_access_where_sql() ." AND (n.moderate = 0 OR n.revisions != '') ORDER BY b.weight ASC, n.title ASC", $node->nid));
if ($child) {
return $child;
}
......@@ -380,7 +380,7 @@ function book_next($node) {
array_push($path = book_location($node), $node); // Path to top-level node including this one.
while (($leaf = array_pop($path)) && count($path)) {
$next = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight > %d OR (b.weight = %d AND n.title > '%s')) ORDER BY b.weight ASC, n.title ASC", $leaf->parent, $leaf->weight, $leaf->weight, $leaf->title));
$next = db_fetch_object(db_query("SELECT DISTINCT(n.nid), n.title FROM {node} n ". node_access_join_sql() ." INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND ". node_access_where_sql() ." AND (n.moderate = 0 OR n.revisions != '') AND (b.weight > %d OR (b.weight = %d AND n.title > '%s')) ORDER BY b.weight ASC, n.title ASC", $leaf->parent, $leaf->weight, $leaf->weight, $leaf->title));
if ($next) {
return $next;
}
......@@ -536,7 +536,7 @@ function book_toc_recurse($nid, $indent, $toc, $children) {
}
function book_toc($parent = 0, $indent = '', $toc = array()) {
$result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 ORDER BY b.weight, n.title');
$result = db_query('SELECT DISTINCT(n.nid), n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND '. node_access_where_sql() .' ORDER BY b.weight, n.title');
while ($node = db_fetch_object($result)) {
if (!$children[$node->parent]) {
......@@ -587,7 +587,7 @@ function book_tree_recurse($nid, $depth, $children, $unfold = array()) {
}
function book_tree($parent = 0, $depth = 3, $unfold = array()) {
$result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND n.moderate = 0 ORDER BY b.weight, n.title');
$result = db_query('SELECT DISTINCT(n.nid), n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND '. node_access_where_sql() .' AND n.moderate = 0 ORDER BY b.weight, n.title');
while ($node = db_fetch_object($result)) {
$list = $children[$node->parent] ? $children[$node->parent] : array();
......@@ -630,7 +630,7 @@ function book_render() {
*/
function book_print($nid = 0, $depth = 1) {
global $base_url;
$result = db_query('SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND n.nid = %d AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title', $nid);
$result = db_query('SELECT DISTINCT(n.nid) FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND '. node_access_where_sql() .' AND n.nid = %d AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title', $nid);
while ($page = db_fetch_object($result)) {
// load the node:
......@@ -660,7 +660,7 @@ function book_print($nid = 0, $depth = 1) {
}
function book_print_recurse($parent = '', $depth = 1) {
$result = db_query("SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND b.parent = '$parent' AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title");
$result = db_query("SELECT DISTINCT(n.nid) FROM {node} n ". node_access_join_sql() ." INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND ". node_access_where_sql() ." AND b.parent = '$parent' AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title");
while ($page = db_fetch_object($result)) {
// Load the node:
......
......@@ -371,7 +371,7 @@ function book_prev($node) {
*/
function book_next($node) {
// get first direct child
$child = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') ORDER BY b.weight ASC, n.title ASC", $node->nid));
$child = db_fetch_object(db_query("SELECT DISTINCT(n.nid), n.title FROM {node} n ". node_access_join_sql() ." INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND ". node_access_where_sql() ." AND (n.moderate = 0 OR n.revisions != '') ORDER BY b.weight ASC, n.title ASC", $node->nid));
if ($child) {
return $child;
}
......@@ -380,7 +380,7 @@ function book_next($node) {
array_push($path = book_location($node), $node); // Path to top-level node including this one.
while (($leaf = array_pop($path)) && count($path)) {
$next = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight > %d OR (b.weight = %d AND n.title > '%s')) ORDER BY b.weight ASC, n.title ASC", $leaf->parent, $leaf->weight, $leaf->weight, $leaf->title));
$next = db_fetch_object(db_query("SELECT DISTINCT(n.nid), n.title FROM {node} n ". node_access_join_sql() ." INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND ". node_access_where_sql() ." AND (n.moderate = 0 OR n.revisions != '') AND (b.weight > %d OR (b.weight = %d AND n.title > '%s')) ORDER BY b.weight ASC, n.title ASC", $leaf->parent, $leaf->weight, $leaf->weight, $leaf->title));
if ($next) {
return $next;
}
......@@ -536,7 +536,7 @@ function book_toc_recurse($nid, $indent, $toc, $children) {
}
function book_toc($parent = 0, $indent = '', $toc = array()) {
$result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 ORDER BY b.weight, n.title');
$result = db_query('SELECT DISTINCT(n.nid), n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND '. node_access_where_sql() .' ORDER BY b.weight, n.title');
while ($node = db_fetch_object($result)) {
if (!$children[$node->parent]) {
......@@ -587,7 +587,7 @@ function book_tree_recurse($nid, $depth, $children, $unfold = array()) {
}
function book_tree($parent = 0, $depth = 3, $unfold = array()) {
$result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND n.moderate = 0 ORDER BY b.weight, n.title');
$result = db_query('SELECT DISTINCT(n.nid), n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND '. node_access_where_sql() .' AND n.moderate = 0 ORDER BY b.weight, n.title');
while ($node = db_fetch_object($result)) {
$list = $children[$node->parent] ? $children[$node->parent] : array();
......@@ -630,7 +630,7 @@ function book_render() {
*/
function book_print($nid = 0, $depth = 1) {
global $base_url;
$result = db_query('SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND n.nid = %d AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title', $nid);
$result = db_query('SELECT DISTINCT(n.nid) FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND '. node_access_where_sql() .' AND n.nid = %d AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title', $nid);
while ($page = db_fetch_object($result)) {
// load the node:
......@@ -660,7 +660,7 @@ function book_print($nid = 0, $depth = 1) {
}
function book_print_recurse($parent = '', $depth = 1) {
$result = db_query("SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND b.parent = '$parent' AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title");
$result = db_query("SELECT DISTINCT(n.nid) FROM {node} n ". node_access_join_sql() ." INNER JOIN {book} b ON n.nid = b.nid WHERE n.status = 1 AND ". node_access_where_sql() ." AND b.parent = '$parent' AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title");
while ($page = db_fetch_object($result)) {
// Load the node:
......
This diff is collapsed.
This diff is collapsed.
......@@ -522,38 +522,16 @@ function node_prepare($node, $teaser = FALSE) {
* Generate a page displaying a single node, along with its comments.
*/
function node_show($node, $cid) {
if (node_access('view', $node)) {
$output = node_view($node, FALSE, TRUE);
$output = node_view($node, FALSE, TRUE);
if (function_exists('comment_render') && $node->comment) {
$output .= comment_render($node, $cid);
}
// Update the history table, stating that this user viewed this node.
node_tag_new($node->nid);
return $output;
}
else {
drupal_set_message(message_access());
}
}
/**
* Determine whether the current user may perform the given operation on the
* specified node.
*/
function node_access($op, $node = NULL) {
if (user_access('administer nodes')) {
return TRUE;
if (function_exists('comment_render') && $node->comment) {
$output .= comment_render($node, $cid);
}
// Convert the node to an object if necessary:
$node = array2object($node);
// Update the history table, stating that this user viewed this node.
node_tag_new($node->nid);
// Can't use node_invoke(), because the access hook takes the $op parameter
// before the $node parameter.
return module_invoke(node_get_module_name($node), 'access', $op, $node);
return $output;
}
/**
......@@ -585,7 +563,7 @@ function node_perm() {
* created, uid, name, and count.
*/
function node_search($keys) {
$find = do_search(array('keys' => $keys, 'type' => 'node', 'select' => "select s.lno as lno, n.title as title, n.created as created, u.uid as uid, u.name as name, s.count as count FROM {search_index} s, {node} n INNER JOIN {users} u ON n.uid = u.uid WHERE s.lno = n.nid AND s.type = 'node' AND s.word like '%' AND n.status = 1"));
$find = do_search(array('keys' => $keys, 'type' => 'node', 'select' => "SELECT DISTINCT s.lno as lno, n.title as title, n.created as created, u.uid as uid, u.name as name, s.count as count FROM {search_index} s, {node} n ". node_access_join_sql() ." INNER JOIN {users} u ON n.uid = u.uid WHERE s.lno = n.nid AND s.type = 'node' AND s.word like '%' AND n.status = 1 AND ". node_access_where_sql()));
return array(t('Matching nodes ranked in order of relevance'), $find);
}
......@@ -678,7 +656,7 @@ function node_menu() {
$items[] = array('path' => 'node/'. arg(1), 'title' => t('view'),
'callback' => 'node_page',
'access' => user_access('access content'),
'access' => node_access('view', $node),
'type' => MENU_CALLBACK);
$items[] = array('path' => 'node/'. arg(1) .'/view', 'title' => t('view'),
'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
......@@ -1281,12 +1259,7 @@ function node_edit($id) {
drupal_set_title($node->title);
if (node_access('update', $node)) {
$output = node_form($node);
}
else {
$output = message_access();
}
$output = node_form($node);
return $output;
}
......@@ -1423,7 +1396,7 @@ function node_delete($edit) {
* Generate a listing of promoted nodes.
*/
function node_page_default() {
$result = pager_query('SELECT nid, type FROM {node} WHERE promote = 1 AND status = 1 ORDER BY sticky DESC, created DESC', variable_get('default_nodes_main', 10));
$result = pager_query('SELECT DISTINCT(n.nid), n.type FROM {node} n '. node_access_join_sql() .' WHERE n.promote = 1 AND n.status = 1 AND '. node_access_where_sql() .' ORDER BY n.sticky DESC, n.created DESC', variable_get('default_nodes_main', 10));
if (db_num_rows($result)) {
drupal_set_html_head('<link rel="alternate" type="application/rss+xml" title="RSS" href="'. url('node/feed', NULL, NULL, TRUE) .'" />');
......@@ -1546,4 +1519,164 @@ function node_nodeapi(&$node, $op, $arg = 0) {
}
}
/**
* @defgroup node_access Node access rights
* @{
* The node access system determines who can do what to which nodes.
*
* In determining access rights for a node, node_access() first checks
* whether the user has the "administer nodes" permission. Such users have
* unrestricted access to all nodes. Then the node module's hook_access()
* is called, and a TRUE or FALSE return value will grant or deny access.
* This allows, for example, the blog module to always grant access to the
* blog author, and for the book module to always deny editing access to
* PHP pages.
*
* If node module does not intervene (returns NULL), then the
* node_access table is used to determine access. All node access
* modules are queried using hook_node_grants() to assemble a list of
* "grant IDs" for the user. This list is compared against the table.
* If any row contains the node ID in question (or 0, which stands for "all
* nodes"), one of the grant IDs returned, and a value of TRUE for the
* operation in question, then access is granted. Note that this table is a
* list of grants; any matching row is sufficient to grant access to the
* node.
*
* In node listings, the process above is followed except that
* hook_access() is not called on each node for performance reasons and for
* proper functioning of the pager system. When adding a node listing to your
* module, be sure to use node_access_join_sql() and node_access_where_sql() to add
* the appropriate clauses to your query for access checks.
*
* To see how to write a node access module of your own, see
* node_access_example.module.
*/
/**
* Determine whether the current user may perform the given operation on the
* specified node.
*
* @param $op
* The operation to be performed on the node. Possible values are:
* - "view"
* - "update"
* - "delete"
* @param $node
* The node object (or node array) on which the operation is to be performed.
* @return
* TRUE if the operation may be performed.
*/
function node_access($op, $node = NULL) {
if (user_access('administer nodes')) {
return TRUE;
}
// Convert the node to an object if necessary:
$node = array2object($node);
// Can't use node_invoke(), because the access hook takes the $op parameter
// before the $node parameter.
$access = module_invoke(node_get_module_name($node), 'access', $op, $node);
if (!is_null($access)) {
return $access;
}
// If the module did not override the access rights, use those set in the
// node_access table.
if ($node->nid && $node->status) {
$sql = 'SELECT COUNT(*) FROM {node_access} WHERE (nid = 0 OR nid = %d) AND CONCAT(realm, gid) IN (';
$grants = array();
foreach (node_access_grants($op, $uid) as $realm => $gids) {
foreach ($gids as $gid) {
$grants[] = "'". $realm . $gid ."'";
}
}
$sql .= implode(',', $grants) .') AND grant_'. $op .' = 1';
$result = db_query($sql, $nid);
return (db_result($result));
}
return FALSE;
}
/**
* Generate an SQL join clause for use in fetching a node listing.
*
* @param $node_alias
* If the node table has been given an SQL alias other than the default
* "n", that must be passed here.
* @param $node_access_alias
* If the node_access table has been given an SQL alias other than the default
* "na", that must be passed here.
* @return
* An SQL join clause.
*/
function node_access_join_sql($node_alias = 'n', $node_access_alias = 'na') {
if (user_access('administer nodes')) {
return '';
}
$sql = 'INNER JOIN {node_access} '. $node_access_alias;
$sql .= ' ON ('. $node_access_alias .'.nid = 0 OR '. $node_access_alias .'.nid = '. $node_alias .'.nid)';
return $sql;
}
/**
* Generate an SQL where clause for use in fetching a node listing.
*
* @param $op
* The operation that must be allowed to return a node.
* @param $node_access_alias
* If the node_access table has been given an SQL alias other than the default
* "na", that must be passed here.
* @return
* An SQL where clause.
*/
function node_access_where_sql($op = 'view', $node_access_alias = 'na') {
if (user_access('administer nodes')) {
return '1';
}
$sql = $node_access_alias .'.grant_'. $op .' = 1 AND CONCAT('. $node_access_alias .'.realm, '. $node_access_alias .'.gid) IN (';
$grants = array();
foreach (node_access_grants($op) as $realm => $gids) {
foreach ($gids as $gid) {
$grants[] = "'". $realm . $gid ."'";
}
}
$sql .= implode(',', $grants) .')';
return $sql;
}
/**
* Fetch an array of permission IDs granted to the given user ID.
*
* The implementation here provides only the universal "all" grant. A node
* access module should implement hook_node_grants() to provide a grant
* list for the user.
*
* @param $op
* The operation that the user is trying to perform.
* @param $uid
* The user ID performing the operation. If omitted, the current user is used.
* @return
* An associative array in which the keys are realms, and the values are
* arrays of grants for those realms.
*/
function node_access_grants($op, $uid = NULL) {
global $user;
if (isset($uid)) {
$user_object = user_load(array('uid' => $uid));
}
else {
$user_object = $user;
}
return array_merge(array('all' => array(0)), module_invoke_all('node_grants', $user_object, $op));
}
/**
* @} end of defgroup node_access
*/
?>
......@@ -522,38 +522,16 @@ function node_prepare($node, $teaser = FALSE) {
* Generate a page displaying a single node, along with its comments.
*/
function node_show($node, $cid) {
if (node_access('view', $node)) {
$output = node_view($node, FALSE, TRUE);
$output = node_view($node, FALSE, TRUE);
if (function_exists('comment_render') && $node->comment) {
$output .= comment_render($node, $cid);
}
// Update the history table, stating that this user viewed this node.
node_tag_new($node->nid);
return $output;
}
else {
drupal_set_message(message_access());
}
}
/**