Unexpected access operation throws exception when node grant system is active

Created on 29 January 2016, almost 9 years ago
Updated 9 May 2023, over 1 year ago

If a module implementing node grants is enabled, and a non-standard operation is passed to check access to a node, then a database exception is thrown.

Problem/Motivation

The node grant system is not activated unless there is an installed module which implements hook_node_grants. Drupal does not come with any non-test modules implementing this hook.

Once the grant system is enabled, \Drupal\node\NodeGrantDatabaseStorage->access() constructs a database conditions' column by concatenating 'grant' . $operation. However only 'grant_view', 'grant_update', 'grant_delete' columns exist. The code does not do any pre-checks for column existence.

This code was uncovered due to a non-standard operation implemented by RNG , combined with a hook_node_grants implementer in content_access .

Steps to reproduce:

  1. Enable content_access module, or any module implementing node grants.
  2. Rebuild node access.
  3. Create a test script, executing
      $node->access('a_random_operation');
    
  4. As a limited user, run the test script.

Proposed resolution

The patch ensures the operation passed is one of the three grant columns in node_access database table.

Remaining tasks

N/A

User interface changes

None

API changes

None

Data model changes

None

References

- RNG issue: Possible problem with RNG and CONTENT ACCESS #71
- Content Access issue: #2653252: "The website encountered an unexpected error" upon setting Access Control for individual node

🐛 Bug report
Status

Fixed

Version

8.0 ⚰️

Component
Node system 

Last updated 4 days ago

No maintainer
Created by

🇦🇺Australia dpi Perth, Australia

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024