Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By media girl on
I already posted a bug report (http://drupal.org/node/19404) but I was wondering if anyone has had any success getting taxonomy_access and RSS to play together. As it is, it seems that the RSS feeds are a leaky sieve when it comes to security: no matter what access settings you put on the taxonomy, all posts are accessible by anyone via the RSS feed.
Example: You post several nodes on various topics, with various access levels set depending upon the topic. On the site itself, only people with proper access can see the nodes they are supposed to see. Everyone else is unaware of the other nodes' existentence. But ... anyone, even an anonymous user, who pulls down the RSS feed for your blog will receive all of the nodes posted in the feed.
Short of hacking the core to disable the RSS feeds, which is hardly a preferable solution, has anyone found a workaround to make these two functions work together? Any thoughtful replies most heartily welcomed! :)
Comments
RSS only shows preview
This is not as big a security issue as you're making it out to be. Don't forget, RSS feeds only show a preview of each node in a particular taxonomy term, not the whole body of the node. So even if you have some nodes protected by taxonomy_access, unauthorised users still won't be able to access the full text through RSS, only a preview.
I know that even seeing a preview is unacceptable for some sites, but in many cases it's fine. In fact, on my own site, I hacked taxonomy_access so that even if users are unauthorised to view the full body of a node, they can still see the preview. So in the case of my site, users being able to access all my RSS feeds is fine - they can access all the previews anyway through the regular interface!
But I must admit that my setup is not the norm. The taxonomy feed functionality should be checking the permissions before it dishes out any RSS.
Jeremy Epstein - GreenAsh
Jeremy Epstein - GreenAsh
Not my experience
Whether I pull a preview or the full text, either is not acceptable for business purposes. Anonymous users simply should not be able to view client review, executive, staff or vendor matters at all. We do not use preview, either, except with front-page material, thus the entire posts were being fed out to anonymous RSS subscribers. RSS was revealing everything.
The damage is done. We can only hope that the various aggregators out there have not archived anything proprietary.
This is a gaping security hole. With more and more people keeping up on websites via RSS, it's a big mistake for admins to consider taxonomy_access secure. I urge all admins to find alternative methods to securiting confidential information on your website until a patch is made. I would like to see RSS feeds offer up only content that is available to anonymous users. (I would do it myself, but I'm still too much in the dark on how Drupal processes node permissions to come up with anything useful.)
--
mediagirl.org
would like to know if the
would like to know if the users of taxonomy_access have this problem,
I am facing this problem for long time.
user roles other than super-user(admin) cannot see their blog in "my blog", even if they navigate to sitename/blog they dont see the blogs that was posted by everyone.
By inserting this statement INSERT INTO node_access VALUES (0, 0, 'all', 1, 0, 0); resolves the issue but you cannot use taxonomy_access.
i am using 4.5 and latest cvs of taxonomy_access
please comment
Not sure I understand
I have experienced no problems with taxonomy_access aside from the fact that it does not secure the rss feeds.
Perhaps I'm not understanding your problem. Did you set the category permissions and they still cannot access the material?
--
mediagirl.org
Did you get a resolution?
Did you get a resolution to this issue? I thought it was fixed as when I first read this thread and tested, it appeared that the locked categories were not in the feed, but now I see that they are (I guess I missed them at first). I do not want them there, and if necessary I'll gladily disable the RSS from the core - any pointers on doing so?
Thanks,