Unpriviliged users can access thread

I don't see this here. Try rebuilding permissions at admin/content/node-settings. I don't know whether pathauto could interfere here.

To pursue this further, please download the Devel module, http://drupal.org/project/devel, 5.x-1.x-dev and install the devel_node_access module. This will show you the node access entries that control access to each of your nodes. Post all entries of one node that is accessible but shouldn't be.

I am having troubles with this same issue after updating Content Access and Forum Access modules.

Here's how I've built it:

• I have a private forum area where only users with specific role should be able to view, post, edit and delete posts.
• I have configured this with Forum Access module so that anonymous and authenticated users do not have any rights ("View this forum", "Post this forum", "Edit posts" and "Delete posts"
• The desired role has all these mentioned rights so that they can use this forum area freely

Old posts in this forum work as expected but when new posts are submitted they can be accessed by everyone if they know the URL (basically if they can guess the nid of the post). By new posts I mean posts that are submitted after I updated Content Access and Forum Access modules.

I checked where these view rights come from with Devel Node Access module. The new posts have this entry:

• Node: test
• Realm: All
• Gid: 0
• View: 1
• Update: 0
• Delete: 0
• Explained: All users may view this node

Old posts do not have this entry so they are not visible for all users.

It seems that this problem is related to this issue of Content Access module: http://drupal.org/node/239139

Because I do need Content Access module for other stuff I cant use the same workaround that jahwe2000 did (disabling Content Access Module).

Is there any other workarounds for this issue? Does somebody know what are the the side effects if I downgrade Content Access module? Which version of that module introduced this problem?

Best regards,
Markus

Can you at least keep CA from messing with your forum topics?

IOW, go to admin/content/types/forum/access and remove all checkmarks.

Thank you for your well-researched and thoughtful post and your support over in the CA queue.

Salvis, thanks for your quick reply.

I think I managed to solve this issue or at least found a workaround. Here's how my forum and it's access control is built:

• I have one forum container that contains a couple of forums.
• I have defined the container so that
  • view: anonymous users AND authenticated users
  • post: authenticated users
  • these are defined in admin/content/forum/edit/container/[container_id]
• I have defined the actual forums so that
  • view: anonymous users AND authenticated users
  • post: authenticated users
  • edit: roles "forum moderators" AND "site maintainers"
  • delete: roles "forum moderators" AND "site maintainers"
  • these are defined in admin/content/forum/edit/forum/[forum_id]
• I have one special forum called "Private area" within the same container as the other forums. It is defined so that
  • view: roles "forum moderators" AND "site maintainers"
  • post: roles "forum moderators" AND "site maintainers"
  • edit: roles "forum moderators" AND "site maintainers"
  • delete: roles "forum moderators" AND "site maintainers"
  • these are defined in admin/content/forum/edit/forum/[forum_id]
• In admin/content/types/forum/access I have the default access control settings so that
  • View: anonymous users AND authenticated users
  • Edit: nobody
  • Delete: nobody

With these settings things don't work as expected. When anonymous users are viewing the forum list they don't see the private area forum. BUT if they guess the node id of a node posted to private area they can view this post by typing the direct URL (node/nid). This is due to the "all" realm stuff I mentioned in my earlier comment.

If the administrator goes to the "edit forum" page of the forum "private area" (admin/content/forum/edit/forum/[forum_nid]) and saves the settings, the "all" realm stuff disappears from the node posted to "private area". If a node is edited (and submitted) after this, the "all" realm appears again and all users can view this node again.

When I went to check out the settings in admin/content/types/forum/access as you suggested I noticed the "Advanced" fieldset that has a setting "Give node grants priority".

I hadn't noticed this setting before. When I define a small number (e.g. -5) to this setting the problem disappears. With this setting all new posts do NOT get the "all" realm stuff and everything works as expected. Phew.

I have no idea whatsoever how the modules should use all the realm stuff as I'm no access control specialist. I have no clue at all what the node grants priority setting actual does under the hood but I guess the most important thing is that with a reasonable priority setting things work as expected...

I made a rollback in my developement environment to see if this issue existed before I updated modules a couple of days ago. It did. I just hadn't noticed it before...

I now have the following versions of Drupal and access control modules:

• Drupal 5.7
• ACL 5.x-1.6
• Content Access 5.x-1.3
• Forum Access 5.x-1.10

With these modules and "Give node grants priority" setting I am happy to say that my access control works as I want.

Markus

p.s. If you think this issue is now closed feel free to close it. I didn't close this because I'm really not sure how this thing is supposed to work under the hood (I mean is this just a lucky workaround or the Right Way^TM how these things are designed to work).

This is a way to get it working, but not the Right Way.

Please download and install Forum Access 5.x-1.x-dev. I've recently added checks and information that should be a big help in situations like yours. After you've installed it, set the CA priority back to 0 (it's under "Advanced" because it shouldn't be changed unless you know exactly what you're doing), and see what happens on admin/content/types/forum/access. I think (hope) you should get enough guidance to find the Right Way.

Please let me know how it goes.

Hi!

The developement version of Forum Access displayed me this warning on admin/content/types/forum/access:

Note: In Drupal, access can only be granted, not taken away. Whatever access you grant here will not be reflected on the Forum Access settings, but Forum Access can only allow more access, not less.

I now understand that the Right Way of doing what I described I want to achieve is to leave admin/content/types/forum/access blank (i.e. no checks there at all) and define all forum access control stuff on admin/content/forum/edit/forum/[forum id].

Some people may be "a bit" confused with all the different places where access control rules can be defined. To avoid stupid user errors like mine it would be good to give as practical warnings messages as possible. May I suggest that the warning displayed on admin/content/types/forum/access would be something like this:

Note: In Drupal, access can only be granted, not taken away. In practice this means that

• Whatever access you grant here affects all forums.
• If you want different forums to have different access settings it is recommended that you don't grant anything here (leave all check boxes unchecked).
• You can define access settings for each forum separately from the settings page of that forum. These setting pages can be found from admin/content/forum.

Thanks again for your help with this issue. I really appreciate your quick replies!

-Markus

Edit: fixed a typo

Thank you for your feedback. I'm glad it worked out in the end, so this new message should be useful.

That page is not mine, and I can't put lots of text (and advertisements :-)) there. Also, I can't make recommendations that are too specific, because I can't know what the admin wants to do in the end. Maybe he really wants/needs to have CA controlling some forum topic nodes, and if he knows what he's doing, long red text would get into the way.

There is additional information on the Forum configuration pages though, that you may not have seen, because you turned off CA for forum topics.