Commit f4b076bc authored by Dries's avatar Dries

- Patch #10977 by killes: review node access checks in book module.

parent 1298d2b9
...@@ -90,7 +90,7 @@ function book_menu($may_cache) { ...@@ -90,7 +90,7 @@ function book_menu($may_cache) {
'callback' => 'book_admin_orphan', 'callback' => 'book_admin_orphan',
'access' => user_access('administer nodes'), 'access' => user_access('administer nodes'),
'weight' => 8); 'weight' => 8);
$result = db_query('SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 ORDER BY b.weight, n.title'); $result = db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 ORDER BY b.weight, n.title');
while ($book = db_fetch_object($result)) { while ($book = db_fetch_object($result)) {
$items[] = array('path' => 'admin/node/book/'. $book->nid, 'title' => t('"%title" book', array('%title' => $book->title))); $items[] = array('path' => 'admin/node/book/'. $book->nid, 'title' => t('"%title" book', array('%title' => $book->title)));
} }
...@@ -121,7 +121,7 @@ function book_block($op = 'list', $delta = 0) { ...@@ -121,7 +121,7 @@ function book_block($op = 'list', $delta = 0) {
else { else {
// Only display this block when the user is browsing a book: // Only display this block when the user is browsing a book:
if (arg(0) == 'node' && is_numeric(arg(1))) { if (arg(0) == 'node' && is_numeric(arg(1))) {
$result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', arg(1)); $result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' n.nid = %d', arg(1));
if (db_num_rows($result) > 0) { if (db_num_rows($result) > 0) {
$node = db_fetch_object($result); $node = db_fetch_object($result);
...@@ -315,7 +315,7 @@ function book_revision_load($page, $conditions = array()) { ...@@ -315,7 +315,7 @@ function book_revision_load($page, $conditions = array()) {
* Return the path (call stack) to a certain book page. * Return the path (call stack) to a certain book page.
*/ */
function book_location($node, $nodes = array()) { function book_location($node, $nodes = array()) {
$parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', $node->parent)); $parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND n.nid = %d', $node->parent));
if ($parent->title) { if ($parent->title) {
$nodes = book_location($parent, $nodes); $nodes = book_location($parent, $nodes);
array_push($nodes, $parent); array_push($nodes, $parent);
...@@ -324,7 +324,7 @@ function book_location($node, $nodes = array()) { ...@@ -324,7 +324,7 @@ function book_location($node, $nodes = array()) {
} }
function book_location_down($node, $nodes = array()) { function book_location_down($node, $nodes = array()) {
$last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid)); $last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid));
if ($last_direct_child) { if ($last_direct_child) {
array_push($nodes, $last_direct_child); array_push($nodes, $last_direct_child);
$nodes = book_location_down($last_direct_child, $nodes); $nodes = book_location_down($last_direct_child, $nodes);
...@@ -342,7 +342,7 @@ function book_prev($node) { ...@@ -342,7 +342,7 @@ function book_prev($node) {
} }
// Previous on the same level: // Previous on the same level:
$direct_above = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title)); $direct_above = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title));
if ($direct_above) { if ($direct_above) {
// Get last leaf of $above. // Get last leaf of $above.
$path = book_location_down($direct_above); $path = book_location_down($direct_above);
...@@ -351,7 +351,7 @@ function book_prev($node) { ...@@ -351,7 +351,7 @@ function book_prev($node) {
} }
else { else {
// Direct parent: // Direct parent:
$prev = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent)); $prev = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent));
return $prev; return $prev;
} }
} }
...@@ -581,7 +581,7 @@ function book_tree($parent = 0, $depth = 3, $unfold = array()) { ...@@ -581,7 +581,7 @@ function book_tree($parent = 0, $depth = 3, $unfold = array()) {
* Menu callback; prints a listing of all books. * Menu callback; prints a listing of all books.
*/ */
function book_render() { function book_render() {
$result = db_query('SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title'); $result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title');
while ($page = db_fetch_object($result)) { while ($page = db_fetch_object($result)) {
// Load the node: // Load the node:
...@@ -671,7 +671,7 @@ function book_admin_view_line($node, $depth = 0) { ...@@ -671,7 +671,7 @@ function book_admin_view_line($node, $depth = 0) {
} }
function book_admin_view_book($nid, $depth = 1) { function book_admin_view_book($nid, $depth = 1) {
$result = db_query("SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight, n.title", $nid); $result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight, n.title', $nid);
while ($node = db_fetch_object($result)) { while ($node = db_fetch_object($result)) {
$node = node_load(array('nid' => $node->nid)); $node = node_load(array('nid' => $node->nid));
...@@ -731,7 +731,7 @@ function book_admin_save($nid, $edit = array()) { ...@@ -731,7 +731,7 @@ function book_admin_save($nid, $edit = array()) {
* Menu callback; displays a listing of all orphaned book pages. * Menu callback; displays a listing of all orphaned book pages.
*/ */
function book_admin_orphan() { function book_admin_orphan() {
$result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid'); $result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql());
while ($page = db_fetch_object($result)) { while ($page = db_fetch_object($result)) {
$pages[$page->nid] = $page; $pages[$page->nid] = $page;
...@@ -808,4 +808,4 @@ function book_help_page() { ...@@ -808,4 +808,4 @@ function book_help_page() {
print theme('page', book_help('admin/help#book')); print theme('page', book_help('admin/help#book'));
} }
?> ?>
\ No newline at end of file
...@@ -90,7 +90,7 @@ function book_menu($may_cache) { ...@@ -90,7 +90,7 @@ function book_menu($may_cache) {
'callback' => 'book_admin_orphan', 'callback' => 'book_admin_orphan',
'access' => user_access('administer nodes'), 'access' => user_access('administer nodes'),
'weight' => 8); 'weight' => 8);
$result = db_query('SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 ORDER BY b.weight, n.title'); $result = db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 ORDER BY b.weight, n.title');
while ($book = db_fetch_object($result)) { while ($book = db_fetch_object($result)) {
$items[] = array('path' => 'admin/node/book/'. $book->nid, 'title' => t('"%title" book', array('%title' => $book->title))); $items[] = array('path' => 'admin/node/book/'. $book->nid, 'title' => t('"%title" book', array('%title' => $book->title)));
} }
...@@ -121,7 +121,7 @@ function book_block($op = 'list', $delta = 0) { ...@@ -121,7 +121,7 @@ function book_block($op = 'list', $delta = 0) {
else { else {
// Only display this block when the user is browsing a book: // Only display this block when the user is browsing a book:
if (arg(0) == 'node' && is_numeric(arg(1))) { if (arg(0) == 'node' && is_numeric(arg(1))) {
$result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', arg(1)); $result = db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' n.nid = %d', arg(1));
if (db_num_rows($result) > 0) { if (db_num_rows($result) > 0) {
$node = db_fetch_object($result); $node = db_fetch_object($result);
...@@ -315,7 +315,7 @@ function book_revision_load($page, $conditions = array()) { ...@@ -315,7 +315,7 @@ function book_revision_load($page, $conditions = array()) {
* Return the path (call stack) to a certain book page. * Return the path (call stack) to a certain book page.
*/ */
function book_location($node, $nodes = array()) { function book_location($node, $nodes = array()) {
$parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d', $node->parent)); $parent = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND n.nid = %d', $node->parent));
if ($parent->title) { if ($parent->title) {
$nodes = book_location($parent, $nodes); $nodes = book_location($parent, $nodes);
array_push($nodes, $parent); array_push($nodes, $parent);
...@@ -324,7 +324,7 @@ function book_location($node, $nodes = array()) { ...@@ -324,7 +324,7 @@ function book_location($node, $nodes = array()) {
} }
function book_location_down($node, $nodes = array()) { function book_location_down($node, $nodes = array()) {
$last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid)); $last_direct_child = db_fetch_object(db_query('SELECT n.nid, n.title, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight DESC, n.title DESC', $node->nid));
if ($last_direct_child) { if ($last_direct_child) {
array_push($nodes, $last_direct_child); array_push($nodes, $last_direct_child);
$nodes = book_location_down($last_direct_child, $nodes); $nodes = book_location_down($last_direct_child, $nodes);
...@@ -342,7 +342,7 @@ function book_prev($node) { ...@@ -342,7 +342,7 @@ function book_prev($node) {
} }
// Previous on the same level: // Previous on the same level:
$direct_above = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title)); $direct_above = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND b.parent = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '') AND (b.weight < %d OR (b.weight = %d AND n.title < '%s')) ORDER BY b.weight DESC, n.title DESC", $node->parent, $node->weight, $node->weight, $node->title));
if ($direct_above) { if ($direct_above) {
// Get last leaf of $above. // Get last leaf of $above.
$path = book_location_down($direct_above); $path = book_location_down($direct_above);
...@@ -351,7 +351,7 @@ function book_prev($node) { ...@@ -351,7 +351,7 @@ function book_prev($node) {
} }
else { else {
// Direct parent: // Direct parent:
$prev = db_fetch_object(db_query("SELECT n.nid, n.title FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent)); $prev = db_fetch_object(db_query('SELECT n.nid, n.title FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() ." AND n.nid = %d AND n.status = 1 AND (n.moderate = 0 OR n.revisions != '')", $node->parent));
return $prev; return $prev;
} }
} }
...@@ -581,7 +581,7 @@ function book_tree($parent = 0, $depth = 3, $unfold = array()) { ...@@ -581,7 +581,7 @@ function book_tree($parent = 0, $depth = 3, $unfold = array()) {
* Menu callback; prints a listing of all books. * Menu callback; prints a listing of all books.
*/ */
function book_render() { function book_render() {
$result = db_query('SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title'); $result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = 0 AND n.status = 1 AND (n.moderate = 0 OR n.revisions IS NOT NULL) ORDER BY b.weight, n.title');
while ($page = db_fetch_object($result)) { while ($page = db_fetch_object($result)) {
// Load the node: // Load the node:
...@@ -671,7 +671,7 @@ function book_admin_view_line($node, $depth = 0) { ...@@ -671,7 +671,7 @@ function book_admin_view_line($node, $depth = 0) {
} }
function book_admin_view_book($nid, $depth = 1) { function book_admin_view_book($nid, $depth = 1) {
$result = db_query("SELECT n.nid FROM {node} n INNER JOIN {book} b ON n.nid = b.nid WHERE b.parent = %d ORDER BY b.weight, n.title", $nid); $result = db_query('SELECT n.nid FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql() .' AND b.parent = %d ORDER BY b.weight, n.title', $nid);
while ($node = db_fetch_object($result)) { while ($node = db_fetch_object($result)) {
$node = node_load(array('nid' => $node->nid)); $node = node_load(array('nid' => $node->nid));
...@@ -731,7 +731,7 @@ function book_admin_save($nid, $edit = array()) { ...@@ -731,7 +731,7 @@ function book_admin_save($nid, $edit = array()) {
* Menu callback; displays a listing of all orphaned book pages. * Menu callback; displays a listing of all orphaned book pages.
*/ */
function book_admin_orphan() { function book_admin_orphan() {
$result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n INNER JOIN {book} b ON n.nid = b.nid'); $result = db_query('SELECT n.nid, n.title, n.status, b.parent FROM {node} n '. node_access_join_sql() .' INNER JOIN {book} b ON n.nid = b.nid WHERE '. node_access_where_sql());
while ($page = db_fetch_object($result)) { while ($page = db_fetch_object($result)) {
$pages[$page->nid] = $page; $pages[$page->nid] = $page;
...@@ -808,4 +808,4 @@ function book_help_page() { ...@@ -808,4 +808,4 @@ function book_help_page() {
print theme('page', book_help('admin/help#book')); print theme('page', book_help('admin/help#book'));
} }
?> ?>
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment