- By fkaufusi
- Drupal version 6:
- function user_access($string, $account = NULL, $reset = FALSE) {
- global $user;
- static $perm = array();
- if ($reset) {
- $perm = array();
- }
- if(is_null($account)){
- $account = $user;
- }
- // User #1 has all privileges:
- if ($account->uid == 1) {
- return TRUE;
- }
- // To reduce the number of SQL queries, we cache the user's permissions
- // in a static variable.
- if (!isset($perm[$account->uid])) {
- $result = db_query("SELECT p.perm FROM {role} r INNER JOIN {permission} p ON p.rid = r.rid WHERE r.rid IN (". db_placeholders($account->roles) .")", array_keys($account->roles));
- $perms = array();
- while ($row = db_fetch_object($result)) {
- $perms += array_flip(explode(', ', $row->perm));
- }
- $perm[$account->uid] = $perms;
- }
- return isset($perm[$account->uid][$string]);
- }
- Have a look at the function above which is use to check the user access permission.
- Look at how the drupal validate the $account variable, $account variable is suppose to be an object and here's how drupal validate it.
- if(is_null($account)){
- $account = $user;
- }
- They only check to see if the $account variable is null, then if not null then they think is an object. Okay how about if the $account type is not an object.
- Here's a small fix and it would help to implement in the next version of drupal.
- if(is_null($account) || !is_object($account)){
- $account = $user;
- }
- ?>
