I upgraded from 5.2 to 5.3 and now all content in private groups is available to the public. I have access control enabled. I tried going back to 5.2 and still couldn't get it to work This is a major security problem. Does anybody have any idea how to fix this? I need to limit access to content to members of the group.

Comments

Christefano-oldaccount’s picture

Christefano-oldaccount commented

Have you rebuilt your node access table? You will find a "Rebuild permissions" button at Administer -> Content Management -> Post settings.

If you have trouble, read the discussion at http://drupal.org/node/122476. Either way, post back and let us know if rebuilding fixes the problem.

kforet’s picture

kforet commented

Thanks for the advice. I tried that. It did not change anything with respect to group access. All group content is still available to all users. Any other thoughts?

kforet’s picture

kforet commented

Does any one else have any thoughts or ideas on how I can get acess restrictions back on OG before I give up and take my site down? I have tried everything I can think of.

moshe weitzman’s picture

moshe weitzman commented

what node type is this content? is that type allowed to be part of groups? if so, try to re-save a node that should be protected. does it then become protected?

kforet’s picture

kforet commented

I have not excluded any node types from groups. I tried saving a blog post and forum post and they are still visible to the general public.

moshe weitzman’s picture

moshe weitzman commented

can do run a database query on your DB? if so, look and see if a row exists with nid=0 in the node_access table. if so, delete it.

SELECT * from node_access where nid=0;

if that has a row

DELETE FROM node_access WHERE nid = 0;

kforet’s picture

kforet commented

That seems to have done the trick. Thank you very much for your help. Any ideas how or why this happens?

moshe weitzman’s picture

moshe weitzman commented
Status: Active » Fixed

no

damien_vancouver’s picture

damien_vancouver commented

This no perms, nid=0 row is usually caused by orphaned nodes that have a uid that no longer exists.

The problem manifests itself when og calls the node_access_rebuild() function from the Drupal
API - it is not a bug within og itself.

There are some helpful hints on how to stop this happening here: http://drupal.org/node/127538

If you read through the comments you'll see some helpful queries (one with a LEFT JOIN in it) that can help you find and fix the bad nodes in the database, and then this won't happen in future. You should fix it, as it's conceivable some other module than og might call a node_access_rebuild() at some point and break your perms again.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)