This is just a heads-up for NodeAccess users, a side-effect of using this module with Drupal 5.1 (perhaps other versions too?)
I implemented a restrictive access policy for some accounts: they can view a limited range of pages, but nothing else.
I also created an empty page, just as a means to upload and keep track of common JavaScript snippets used by many pages in the portal.
It turned out, all those restricted users need to be granted access to that special page, otherwise they couldn't access the JavaScript files, which are attachments to the special page.
Just something to pay attention to. It might be obvious to some, but it took me a while to figure out why JavaScript was suddenly "broken".
Comments
Comment #1
gpk commentedJust to confirm that this behaviour is very much designed into Drupal core 5.x, 6.x, 7.x - in order to access an attachment (e.g. uploaded via the core upload module) you have to have permission to access the page that the thing is attached to. This means that it *is* possible to control access to attached documents etc. *provided* that the "private" downloads method is used instead of "public".
Of course in a situation like the one described here then the behaviour could be confusing ..!
Note that some modules used for uploading assets e.g. IMCE (at the time of writing) don't associate the asset with a particular node, hence node access permissions are not considered when determining access permissions for assets uploaded with these modules.
Comment #2
Anonymous (not verified) commented