Commit d1cb1258 authored by Dries's avatar Dries

- Patch #1204658 by kbasarab, Berdir, tim.plunkett, webchick: remove node...

- Patch #1204658 by kbasarab, Berdir, tim.plunkett, webchick: remove node access base table fallback.
parent 17466816
......@@ -528,6 +528,7 @@ function comment_get_recent($number = 10) {
$query = db_select('comment', 'c');
$query->innerJoin('node', 'n', 'n.nid = c.nid');
$query->addTag('node_access');
$query->addMetaData('base_table', 'comment');
$comments = $query
->fields('c')
->condition('c.status', COMMENT_PUBLISHED)
......@@ -860,6 +861,7 @@ function comment_get_thread(Node $node, $mode, $comments_per_page) {
->condition('c.nid', $node->nid)
->addTag('node_access')
->addTag('comment_filter')
->addMetaData('base_table', 'comment')
->addMetaData('node', $node)
->limit($comments_per_page);
......@@ -869,6 +871,7 @@ function comment_get_thread(Node $node, $mode, $comments_per_page) {
->condition('c.nid', $node->nid)
->addTag('node_access')
->addTag('comment_filter')
->addMetaData('base_table', 'comment')
->addMetaData('node', $node);
if (!user_access('administer comments')) {
......
......@@ -679,7 +679,8 @@ function forum_block_save($delta = '', $edit = array()) {
function forum_block_view($delta = '') {
$query = db_select('forum_index', 'f')
->fields('f')
->addTag('node_access');
->addTag('node_access')
->addMetaData('base_table', 'forum_index');
switch ($delta) {
case 'active':
$title = t('Active forum topics');
......@@ -928,6 +929,7 @@ function forum_get_topics($tid, $sortby, $forum_per_page) {
$query
->condition('f.tid', $tid)
->addTag('node_access')
->addMetaData('base_table', 'forum_index')
->orderBy('f.sticky', 'DESC')
->orderByHeader($forum_topic_list_header)
->limit($forum_per_page);
......@@ -936,6 +938,7 @@ function forum_get_topics($tid, $sortby, $forum_per_page) {
$count_query->condition('f.tid', $tid);
$count_query->addExpression('COUNT(*)');
$count_query->addTag('node_access');
$count_query->addMetaData('base_table', 'forum_index');
$query->setCountQuery($count_query);
$result = $query->execute();
......
......@@ -3258,10 +3258,9 @@ function _node_query_node_access_alter($query, $type) {
$tables = $query->getTables();
$base_table = $query->getMetaData('base_table');
// If no base table is specified explicitly, search for one.
// If the base table is not given, default to node if present.
if (!$base_table) {
$fallback = '';
foreach ($tables as $alias => $table_info) {
foreach ($tables as $table_info) {
if (!($table_info instanceof SelectInterface)) {
$table = $table_info['table'];
// If the node table is in the query, it wins immediately.
......@@ -3269,38 +3268,11 @@ function _node_query_node_access_alter($query, $type) {
$base_table = $table;
break;
}
// Check whether the table has a foreign key to node.nid. If it does,
// do not run this check again as we found a base table and only node
// can triumph that.
if (!$base_table) {
// The schema is cached.
$schema = drupal_get_schema($table);
if (isset($schema['fields']['nid'])) {
if (isset($schema['foreign keys'])) {
foreach ($schema['foreign keys'] as $relation) {
if ($relation['table'] === 'node' && $relation['columns'] === array('nid' => 'nid')) {
$base_table = $table;
}
}
}
else {
// At least it's a nid. A table with a field called nid is very
// very likely to be a node.nid in a node access query.
$fallback = $table;
}
}
}
}
}
// If there is nothing else, use the fallback.
// Bail out if the base table is missing.
if (!$base_table) {
if ($fallback) {
watchdog('security', 'Your node listing query is using @fallback as a base table in a query tagged for node access. This might not be secure and might not even work. Specify foreign keys in your schema to node.nid ', array('@fallback' => $fallback), WATCHDOG_WARNING);
$base_table = $fallback;
}
else {
throw new Exception(t('Query tagged for node access but there is no nid. Add foreign keys to node.nid in schema to fix.'));
}
throw new Exception(t('Query tagged for node access but there is no node table, specify the base_table using meta data.'));
}
}
......
......@@ -228,6 +228,7 @@ function taxonomy_select_nodes($tid, $pager = TRUE, $limit = FALSE, $order = arr
}
$query = db_select('taxonomy_index', 't');
$query->addTag('node_access');
$query->addMetaData('base_table', 'taxonomy_index');
$query->condition('tid', $tid);
if ($pager) {
$count_query = clone $query;
......
......@@ -39,6 +39,7 @@ function tracker_page($account = NULL, $set_title = FALSE) {
// while keeping the correct order.
$nodes = $query
->addTag('node_access')
->addMetaData('base_table', 'tracker_node')
->fields('t', array('nid', 'changed'))
->condition('t.published', 1)
->orderBy('t.changed', 'DESC')
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment