When a user on my system has a role assigned a query is rewritten (after a call to db_rewrite_sql) to be like this:

SELECT node_data_field_phonenum.field_phonenum_value AS value FROM {node} node
LEFT JOIN {content_field_phonenum} node_data_field_phonenum ON node.vid = node_data_field_phonenum.vid
INNER JOIN {node_access} na ON na.nid = node.nid
WHERE (na.grant_view >= 1 AND ((na.gid = 0 AND na.realm = 'all') OR (na.gid = 2 AND na.realm = 'term_access') OR (na.gid = 4 AND na.realm = 'term_access'))) AND ( node.nid = 329 )
ORDER BY node_data_field_phonenum.delta

There are multiple rows in node_access that satisfy the query and therefore it returns twice the number of rows that exist in content_field_phonenum. For example, if content_field_phonenum has 1 row that satisfies the node.nid = 329 then 2 rows are returned from the query. That is because node_access has 2 rows that satisfy the query.

If I remove all roles for the user then the query becomes:

SELECT node_data_field_phonenum.field_phonenum_value AS value FROM {node} node
LEFT JOIN {content_field_phonenum} node_data_field_phonenum ON node.vid = node_data_field_phonenum.vid
INNER JOIN {node_access} na ON na.nid = node.nid
WHERE (na.grant_view >= 1 AND ((na.gid = 0 AND na.realm = 'all') OR (na.gid = 2 AND na.realm = 'term_access'))) AND ( node.nid = 329 )
ORDER BY node_data_field_phonenum.delta

and only 1 row in node_access satisfies that query.

Is something configured wrong, or is this a bug in nodeaccess or some other module.

Comments

Anonymous’s picture

The query you are referring to is generated by drupal's node module, not the nodeaccess module. However, I don't think this is really an issue. Drupal's access control system works on a grant only basis, that is, you can only grant access and not deny it. Because of this, all drupal cares about is whether any access control module grants at least 1 access. If it does, access is granted. It does not matter if one module, or multiple modules, grant access multiple times and it's quite common for that to happen. If drupal had a system where modules could deny access as well this might be an issue, but as it is this is just kind of the way things work.

mantyla’s picture

Status: Active » Closed (fixed)