- Patch #10977 by killes: review node access checks in book module.

f4b076bc · Dries · 1298d2b9 · f4b076bc · f4b076bc
Commit f4b076bc authored Sep 29, 2004 by Dries
--- a/modules/book.module
+++ b/modules/book.module
@@ -90,7 +90,7 @@ function book_menu($may_cache) {
      'callback' => 'book_admin_orphan',
      'access' => user_access('administer nodes'),
      'weight' => 8);
-    $result = db_query('SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 ORDER BY b.weight, n.title');
+    $result = db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 ORDER BY b.weight, n.title');
    while ($book = db_fetch_object($result)) {
      $items[] = array('path' => 'admin/node/book/'. $book->nid, 'title' => t('"%title" book', array('%title' => $book->title)));
    }
@@ -121,7 +121,7 @@ function book_block($op = 'list', $delta = 0) {
  else {
    // Only display this block when the user is browsing a book:
    if (arg(0) == 'node' && is_numeric(arg(1))) {
-      $result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', arg(1));
+      $result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' n.nid = %d', arg(1));
      if (db_num_rows($result) > 0) {
        $node = db_fetch_object($result);

@@ -315,7 +315,7 @@ function book_revision_load($page, $conditions = array()) {
 * Return the path (call stack) to a certain book page.
 */
 function book_location($node, $nodes = array()) {
-  $parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', $node->parent));
+  $parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND n.nid = %d', $node->parent));
  if ($parent->title) {
    $nodes = book_location($parent, $nodes);
    array_push($nodes, $parent);
@@ -324,7 +324,7 @@ function book_location($node, $nodes = array()) {
 }

 function book_location_down($node, $nodes = array()) {
-  $last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid));
+  $last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid));
  if ($last_direct_child) {
    array_push($nodes, $last_direct_child);
    $nodes = book_location_down($last_direct_child, $nodes);
@@ -342,7 +342,7 @@ function book_prev($node) {
  }

  // Previous on the same level:
-  $direct_above = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title));
+  $direct_above = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title));
  if ($direct_above) {
    // Get last leaf of $above.
    $path = book_location_down($direct_above);
@@ -351,7 +351,7 @@ function book_prev($node) {
  }
  else {
    // Direct parent:
-    $prev = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent));
+    $prev = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent));
    return $prev;
  }
 }
@@ -581,7 +581,7 @@ function book_tree($parent = 0, $depth = 3, $unfold = array()) {
 * Menu callback; prints a listing of all books.
 */
 function book_render() {
-  $result = db_query('SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title');
+  $result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title');

  while ($page = db_fetch_object($result)) {
    // Load the node:
@@ -671,7 +671,7 @@ function book_admin_view_line($node, $depth = 0) {
 }

 function book_admin_view_book($nid, $depth = 1) {
-  $result = db_query("SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight, n.title", $nid);
+  $result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight, n.title', $nid);

  while ($node = db_fetch_object($result)) {
    $node = node_load(array('nid' => $node->nid));
@@ -731,7 +731,7 @@ function book_admin_save($nid, $edit = array()) {
 * Menu callback; displays a listing of all orphaned book pages.
 */
 function book_admin_orphan() {
-  $result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid');
+  $result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql());

  while ($page = db_fetch_object($result)) {
    $pages[$page->nid] = $page;
@@ -808,4 +808,4 @@ function book_help_page() {
  print theme('page', book_help('admin/help#book'));
 }

-?>
+?>
\ No newline at end of file
--- a/modules/book/book.module
+++ b/modules/book/book.module
@@ -90,7 +90,7 @@ function book_menu($may_cache) {
      'callback' => 'book_admin_orphan',
      'access' => user_access('administer nodes'),
      'weight' => 8);
-    $result = db_query('SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 ORDER BY b.weight, n.title');
+    $result = db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 ORDER BY b.weight, n.title');
    while ($book = db_fetch_object($result)) {
      $items[] = array('path' => 'admin/node/book/'. $book->nid, 'title' => t('"%title" book', array('%title' => $book->title)));
    }
@@ -121,7 +121,7 @@ function book_block($op = 'list', $delta = 0) {
  else {
    // Only display this block when the user is browsing a book:
    if (arg(0) == 'node' && is_numeric(arg(1))) {
-      $result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', arg(1));
+      $result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' n.nid = %d', arg(1));
      if (db_num_rows($result) > 0) {
        $node = db_fetch_object($result);

@@ -315,7 +315,7 @@ function book_revision_load($page, $conditions = array()) {
 * Return the path (call stack) to a certain book page.
 */
 function book_location($node, $nodes = array()) {
-  $parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', $node->parent));
+  $parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND n.nid = %d', $node->parent));
  if ($parent->title) {
    $nodes = book_location($parent, $nodes);
    array_push($nodes, $parent);
@@ -324,7 +324,7 @@ function book_location($node, $nodes = array()) {
 }

 function book_location_down($node, $nodes = array()) {
-  $last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid));
+  $last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid));
  if ($last_direct_child) {
    array_push($nodes, $last_direct_child);
    $nodes = book_location_down($last_direct_child, $nodes);
@@ -342,7 +342,7 @@ function book_prev($node) {
  }

  // Previous on the same level:
-  $direct_above = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title));
+  $direct_above = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title));
  if ($direct_above) {
    // Get last leaf of $above.
    $path = book_location_down($direct_above);
@@ -351,7 +351,7 @@ function book_prev($node) {
  }
  else {
    // Direct parent:
-    $prev = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent));
+    $prev = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent));
    return $prev;
  }
 }
@@ -581,7 +581,7 @@ function book_tree($parent = 0, $depth = 3, $unfold = array()) {
 * Menu callback; prints a listing of all books.
 */
 function book_render() {
-  $result = db_query('SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title');
+  $result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title');

  while ($page = db_fetch_object($result)) {
    // Load the node:
@@ -671,7 +671,7 @@ function book_admin_view_line($node, $depth = 0) {
 }

 function book_admin_view_book($nid, $depth = 1) {
-  $result = db_query("SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight, n.title", $nid);
+  $result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight, n.title', $nid);

  while ($node = db_fetch_object($result)) {
    $node = node_load(array('nid' => $node->nid));
@@ -731,7 +731,7 @@ function book_admin_save($nid, $edit = array()) {
 * Menu callback; displays a listing of all orphaned book pages.
 */
 function book_admin_orphan() {
-  $result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid');
+  $result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql());

  while ($page = db_fetch_object($result)) {
    $pages[$page->nid] = $page;
@@ -808,4 +808,4 @@ function book_help_page() {
  print theme('page', book_help('admin/help#book'));
 }

-?>
+?>
\ No newline at end of file