I've looked at various bugs which seem to be related to this, but the discussion quickly gets hard to follow.

I'm running Drupal 7.9, TAC 7.x-1.0-rc1 and Views 7.x-3.0-rc1.

It appears that even if a user has no permission to view a given node, that node will still show up in a view which lists nodes - for my application if a user can't read a node they shouldn't see it in lists.

By default anon and authenticated users have no permission to view existing nodes unless granted such access by another role. I have created a taxonomy with 2 values, and created a new role which via TAC rules has access to nodes with one of the terms in that taxonomy. I've created a view which lists all nodes (I have added "Content access: Access" as a filter, but it doesn't change the output).

So when I log in as a user which belongs to the role which can only view 1 term of the taxonomy, nodes which are assigned the other term of the taxonomy still show up in the list, but when the user clicks on them they cannot view the actual node. This user shouldn't see it in the list at all if they can't view the node itself.

Is this a current limitation of either Views or TAC, or am I likely doing something wrong?

Comments

xjm’s picture

xjm
she/her
Primary language English
commented

Hmm, it should work. First, I'd suggest clearing your site cache, including the views cache. If that doesn't fix it, could you post screenshots of your TAC configurations for anonymous and authenticated users, as well as a screenshot of the view admin screen so I can try to reproduce?

sprior’s picture

sprior commented

Preparing the screenshots gave me the clue and it's fixed. I wasn't aware that TAC would grant View to all nodes by default in the anonymous and authenticated user roles, in the regular permissions I had removed ALL permissions to both of those roles and only granted access by a new role I created. So when I enabled TAC I just added a rule for the role I created and thought I'd be fine, but the TAC defaults got me. Once I went in and changed the access rules for View to I instead of A for anon and auth users things started working the way I expected.

Now that I think about it, when I still had those defaults in place I couldn't view the nodes my role hadn't been granted access for (like I expected), it was just that they showed up in views. So while I'm now fixed I think there's still a bug somewhere.

Thanks for the assist!
Steve

xjm’s picture

xjm
she/her
Primary language English
commented
Status: Active » Fixed

Ah! That is good to hear. We're hoping to overhaul the UI a little so things like this won't be so sneaky. :)

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

flightrisk’s picture

flightrisk commented
Status: Closed (fixed) » Active

I *think* I have the same issue, so joining this thread. I have a documents page were I allow documents to be downloaded. The documents are grouped by a Taxonomy term called "category". One of the categories is "private". I then have a menu that points to a page displayed by the Views module that shows a table of all of the documents grouped by the Taxonomy term. When I set permissions for an anonymous user to deny view rights to that Taxonomy term, the term word "private" disappears from the view, but the nodes attached to it are plainly visible. How can I make sure that any node with a blocked taxonomy term "private" does not show up in any view?

xjm’s picture

xjm
she/her
Primary language English
commented
Status: Active » Closed (fixed)

@flightrisk -- Could you please open a new support request with detailed steps to reproduce this issue, including some screenshots of your configuration? Thanks!