Here's one thing to observe about miniviews: it doesn't use access control. Even if within the flexinode module one has specified restrictions on who can access which kinds of flexinodes, those restrictions do not apply to the miniviews---anyone with generic "access content" permission can see them.
I fixed my local copy, but unfortunately I don't know enough about the patch process to post the fix. At the very least you probably want this:

foreach (flexinode_content_types() as $ctype) {
      $items[] = array(
      'path' => 'flexinode/table/'. $ctype->ctype_id,
      'title' => t($ctype->name) . ' table',
      'callback' => 'flexinode_miniview_page_table',
      'callback arguments' => array($ctype->ctype_id),
      'access' => user_access('access '. $ctype->name .' content') or $admin_access,
      'type' => MENU_CALLBACK,
      );
 }

Comments

ahoeben’s picture

ahoeben commented

The whole 'access '. $ctype->name .' content' thing seems to be missing; there are no such permissions in the current flexinode module. Only 'create *', 'edit own *' and 'edit any *' are created/used. 'access *' is never checked, so I see no reason to start checking it in _miniviews.

Bèr Kessels’s picture

Bèr Kessels commented

a hoeben. Correct. Lets mark this won'tfix? what do you think?

ahoeben’s picture

ahoeben commented

Well, it's either that or we have to (re?)implement flexinode access control ;-)

ahoeben’s picture

ahoeben commented
Status: Active » Closed (won't fix)