Web design, programming, graphics, and pretty much anything else I care about.

Node reference URL widget not checking user access?

I seem to have a bug in the Node reference URL widget module (http://drupal.org/project/nodereference_url). It is not checking to see if the user has the correct permissions to create a node of the type being referenced. The link to create a node should not appear if they do not have access.

On this line

<?php
if ($field['referenceable_types'][$object->type] && user_access('create ' . $object->type . ' content')) {
?>

I replaced $object->type with $target_type and it seems to work fine.

<?php
if ($field['referenceable_types'][$object->type] && user_access('create ' . $target_type . ' content')) {
?>

I found an issue for the exact problem. http://drupal.org/node/390924

Update: quicksketch added my change as a patch and is adding it to 6.x-1.2 of the module. http://drupal.org/node/390924#comment-1484014