Hello,

Using the latest version for 5.1 (v 1.102.2.3 2007/02/05 09:26:57 keve) I am experiencing a similar issue to #48291. Basically, in some places TAC is preventing 'protected' nodes from showing up in lists, but if I go directly to the node as an anonymous user (or directly to the forum index of a forum I shouldn't have access to) I get to see everything. Also, all posts are showing up in 'Recent posts' regardless of access.

I have tried rebuilding the node_access table (through Post settings and by disabling/re-enabling TAC) and to reset and save the permissions again. No luck on any of it.

This is basically preventing me from upgrading, so any suggestions you may have are very welcome! :)

Comments

keve’s picture

keve commented

This is conrolled by 'view' permission.

Please check the values in table node_access for given node for the given role. (You can do it by devel module. (devel_node_access)).
Are the values in the table are correct? In this case, TAC saves the values correctly.

Do you use other access module. eg: og?

Ixchael’s picture

Ixchael commented

Yes, the node_access table is correct. The example node I checked has the following:

select * from node_access WHERE nid = 12038;

+-------+-----+-------------+------------+--------------+--------------+
| nid | gid | realm | grant_view | grant_update | grant_delete |
+-------+-----+-------------+------------+--------------+--------------+
| 12038 | 3 | term_access | 1 | 0 | 0 |
| 12038 | 4 | term_access | 1 | 0 | 0 |
| 12038 | 5 | term_access | 1 | 0 | 0 |
| 12038 | 6 | term_access | 1 | 0 | 0 |
| 12038 | 9 | term_access | 1 | 0 | 0 |
| 12038 | 12 | term_access | 1 | 0 | 0 |
| 12038 | 20 | term_access | 1 | 0 | 0 |
| 12038 | 21 | term_access | 1 | 0 | 0 |
+-------+-----+-------------+------------+--------------+--------------+

And yet I am able to access it as an anonymous user (among others) - which is role ID 1.

I do not have any other access control modules installed.

keve’s picture

keve commented

Please check, if anonymous user role has 'administer nodes' permission by any chance.

Since TAC saves node_access values correctly. (No line is saved for anonymous user), it is not a bug for this module. In this case it is a CORE ISSUE of node.module

Note:
When accessing a node, function node_access() checks permissions:
1. 'administer nodes' permission.
2. hook_view (for diff. node type modules)
3. values in table node_access.

Ixchael’s picture

Ixchael commented
Project: Taxonomy Access Control » Drupal core
Version: 5.x-1.x-dev » 5.1
Component: Code » node system

No 'administer nodes' permission. The only permission anonymous users have for the node module is 'access content'.

Thanks for your help so far, keve. I've updated the Project / Component information.

keve’s picture

keve commented

Sorry: i meant in comment #3:

2. hook_access (for diff. node type modules) w/ $op='view';

(Wrong: 2. hook_view (for diff. node type modules))

Ixchael’s picture

Ixchael commented

Thanks to your hints, I have been able to find the issue (though I have not yet found the cause).

An entry is made to the node_access table with nid of 0 and realm of 'all'. This apparently means that all nodes are viewable by everyone. Deleting the row from the table fixed most parts of this issue. Unfortunately, the row is added every time the permissions are rebuilt - which also seems to happen every time you save any changes to TAC. Why is that, by the way? Can't this be optimized to only update what has been changed? We have a lot of content, so rebuilding the entire node_access table takes forever :)

Anyway, to sum up:
1) Something is putting an entry in node_access, giving everybody view permission on everything.
2) This happens every time permissions are rebuilt, which also happens any time you save in TAC Permissions.

Ixchael’s picture

Ixchael commented
Category: support » bug

Changed to a bug report, as I have now found the issue.

node_access_acquire_grants (node.module) doesn't check if the node was actually loaded. If the node could not be loaded for some reason, everyone gets access to every node in the system. In my case, I think I might be missing a module for a particular type of node - which may explain why it isn't loading.

Either way, it's a pretty serious bug in my opinion. I fixed it locally by added a check to the beginning of node_access_acquire_grants:

function node_access_rebuild() {
  if (!isset($node->nid))
  {
  	return;
  }
[...]

It might also make sense for node_access_rebuild to check if a node was actually loaded before passing it to node_access_acquire_grants.

Anyway, just thought I would report the bug and share my hack.

willmoy’s picture

willmoy commented
Status: Active » Closed (duplicate)

This has been fixed elsewhere (not sure where) but compare:
http://cvs.drupal.org/viewvc.py/drupal/drupal/modules/node/node.module?r...

with http://api.drupal.org/api/function/node_access_rebuild/5 and later versions. It now (D7) checks !empty($node):

      $nids = db_query("SELECT nid FROM {node}")->fetchCol();
      foreach ($nids as $nid) {
        $node = node_load($nid, NULL, TRUE);
        // To preserve database integrity, only acquire grants if the node
        // loads successfully.
        if (!empty($node)) {
          node_access_acquire_grants($node);
        }
      }