Commit f4b076bc authored by Dries's avatar Dries

- Patch #10977 by killes: review node access checks in book module.

parent 1298d2b9
......@@ -90,7 +90,7 @@ function book_menu($may_cache) {
'callback' => 'book_admin_orphan',
'access' => user_access('administer nodes'),
'weight' => 8);
$result = db_query('SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 ORDER BY b.weight, n.title');
$result = db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 ORDER BY b.weight, n.title');
while ($book = db_fetch_object($result)) {
$items[] = array('path' => 'admin/node/book/'. $book->nid, 'title' => t('"%title" book', array('%title' => $book->title)));
}
......@@ -121,7 +121,7 @@ function book_block($op = 'list', $delta = 0) {
else {
// Only display this block when the user is browsing a book:
if (arg(0) == 'node' && is_numeric(arg(1))) {
$result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', arg(1));
$result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' n.nid = %d', arg(1));
if (db_num_rows($result) > 0) {
$node = db_fetch_object($result);
......@@ -315,7 +315,7 @@ function book_revision_load($page, $conditions = array()) {
* Return the path (call stack) to a certain book page.
*/
function book_location($node, $nodes = array()) {
$parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', $node->parent));
$parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND n.nid = %d', $node->parent));
if ($parent->title) {
$nodes = book_location($parent, $nodes);
array_push($nodes, $parent);
......@@ -324,7 +324,7 @@ function book_location($node, $nodes = array()) {
}
function book_location_down($node, $nodes = array()) {
$last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid));
$last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid));
if ($last_direct_child) {
array_push($nodes, $last_direct_child);
$nodes = book_location_down($last_direct_child, $nodes);
......@@ -342,7 +342,7 @@ function book_prev($node) {
}
// Previous on the same level:
$direct_above = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title));
$direct_above = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title));
if ($direct_above) {
// Get last leaf of $above.
$path = book_location_down($direct_above);
......@@ -351,7 +351,7 @@ function book_prev($node) {
}
else {
// Direct parent:
$prev = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent));
$prev = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent));
return $prev;
}
}
......@@ -581,7 +581,7 @@ function book_tree($parent = 0, $depth = 3, $unfold = array()) {
* Menu callback; prints a listing of all books.
*/
function book_render() {
$result = db_query('SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title');
$result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title');
while ($page = db_fetch_object($result)) {
// Load the node:
......@@ -671,7 +671,7 @@ function book_admin_view_line($node, $depth = 0) {
}
function book_admin_view_book($nid, $depth = 1) {
$result = db_query("SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight, n.title", $nid);
$result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight, n.title', $nid);
while ($node = db_fetch_object($result)) {
$node = node_load(array('nid' => $node->nid));
......@@ -731,7 +731,7 @@ function book_admin_save($nid, $edit = array()) {
* Menu callback; displays a listing of all orphaned book pages.
*/
function book_admin_orphan() {
$result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid');
$result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql());
while ($page = db_fetch_object($result)) {
$pages[$page->nid] = $page;
......@@ -808,4 +808,4 @@ function book_help_page() {
print theme('page', book_help('admin/help#book'));
}
?>
?>
\ No newline at end of file
......@@ -90,7 +90,7 @@ function book_menu($may_cache) {
'callback' => 'book_admin_orphan',
'access' => user_access('administer nodes'),
'weight' => 8);
$result = db_query('SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 ORDER BY b.weight, n.title');
$result = db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 ORDER BY b.weight, n.title');
while ($book = db_fetch_object($result)) {
$items[] = array('path' => 'admin/node/book/'. $book->nid, 'title' => t('"%title" book', array('%title' => $book->title)));
}
......@@ -121,7 +121,7 @@ function book_block($op = 'list', $delta = 0) {
else {
// Only display this block when the user is browsing a book:
if (arg(0) == 'node' && is_numeric(arg(1))) {
$result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', arg(1));
$result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' n.nid = %d', arg(1));
if (db_num_rows($result) > 0) {
$node = db_fetch_object($result);
......@@ -315,7 +315,7 @@ function book_revision_load($page, $conditions = array()) {
* Return the path (call stack) to a certain book page.
*/
function book_location($node, $nodes = array()) {
$parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', $node->parent));
$parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND n.nid = %d', $node->parent));
if ($parent->title) {
$nodes = book_location($parent, $nodes);
array_push($nodes, $parent);
......@@ -324,7 +324,7 @@ function book_location($node, $nodes = array()) {
}
function book_location_down($node, $nodes = array()) {
$last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid));
$last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid));
if ($last_direct_child) {
array_push($nodes, $last_direct_child);
$nodes = book_location_down($last_direct_child, $nodes);
......@@ -342,7 +342,7 @@ function book_prev($node) {
}
// Previous on the same level:
$direct_above = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title));
$direct_above = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title));
if ($direct_above) {
// Get last leaf of $above.
$path = book_location_down($direct_above);
......@@ -351,7 +351,7 @@ function book_prev($node) {
}
else {
// Direct parent:
$prev = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent));
$prev = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent));
return $prev;
}
}
......@@ -581,7 +581,7 @@ function book_tree($parent = 0, $depth = 3, $unfold = array()) {
* Menu callback; prints a listing of all books.
*/
function book_render() {
$result = db_query('SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title');
$result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title');
while ($page = db_fetch_object($result)) {
// Load the node:
......@@ -671,7 +671,7 @@ function book_admin_view_line($node, $depth = 0) {
}
function book_admin_view_book($nid, $depth = 1) {
$result = db_query("SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight, n.title", $nid);
$result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight, n.title', $nid);
while ($node = db_fetch_object($result)) {
$node = node_load(array('nid' => $node->nid));
......@@ -731,7 +731,7 @@ function book_admin_save($nid, $edit = array()) {
* Menu callback; displays a listing of all orphaned book pages.
*/
function book_admin_orphan() {
$result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid');
$result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql());
while ($page = db_fetch_object($result)) {
$pages[$page->nid] = $page;
......@@ -808,4 +808,4 @@ function book_help_page() {
print theme('page', book_help('admin/help#book'));
}
?>
?>
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment