Unpublish tab does not remove items from taxonomy_index table. This means that unauthorised users may view unpublished content via any taxonomy term page which correctly included that page when it was published.

I have set up a clean minimal test site and confirmed that this bug is not restricted to the mature site where I (or rather Google) first discovered it.

Comments

aaronbauman’s picture

aaronbauman
he/him
commented

The publish/unpublish action calls node_save(), which in turn calls taxonomy_delete_node_index() and taxonomy_build_node_index() that maintain this table.
So, in theory, this bug should not exist.

Any further information or patches would be welcome.

simon georges’s picture

simon georges commented
Priority: Critical » Normal
Status: Active » Postponed (maintainer needs more info)
johnennew’s picture

johnennew commented
Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

Closing old issue

johnennew’s picture

johnennew commented
Issue summary: View changes

Revised for great clarity.