Handling permissions for comments that support all entity types

Berdir's picture

Right now, comments are specific to nodes and respect node permissions on overview pages, recent comments block and so on, so that you can't see comments if you can't see the node.

http://drupal.org/node/731724 is making comments entity-type agnostic, so that you can attach comments to any fieldable entity.

This poses interesting security questions, the biggest problem I think is that e.g. the comments overview page could now list comments attached to users, terms, nodes, commerce orders on the same list, from a single query. We don't have a generic entity_access query tag/API and even if we would, I'm not sure if we can design one that supports this use case.

I've outlined some thoughts about possible solutions in http://drupal.org/node/731724#comment-6714470.

The main question that I have for the security team is if the first suggestion would be ok, from a security perspective. Meaning that we would list those comments on the overview but non-linked and without a title. We could extend it a bit to only include an entity type filter (e.g. to include user, you need access profile permission, access content for nodes and so on. Not sure how to get that list, though.)

No idea what to do with the public recent comments list.

Oh, and this needs a solution for views as well :)