Description:

When limiting access to a category used for forums the access is appropriately limited in all tested modules and blocks except one. If comments are posted to a node (I only tested the forums), and the "recent comment" block is active, the comment title will appear in the block. Attempting to click on the comment title in the block results in an "Access Denied" message, but the comment title should not be visible anywhere at all if a user doesn't have rights to view the category.

I marked this as critical since it allows visibility where it's expected to block it.

Comments

pyromanfo’s picture

pyromanfo commented
Priority: Critical » Normal

This is a problem with comment.module's recent comments block not checking node permissions.

I could just move it over there but since it's your issue I'd rather you do it so you can better keep track of what's going on.

Anonymous’s picture

(not verified) commented

Cool. Thanks, I'll do that. Great work by the way :)

pyromanfo’s picture

pyromanfo commented