Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.I see that in http://drupal.org/node/213897 there had been an issue that unpublished posts show up in the activity. This report is similar but different. My site uses the Forum Access module (based on ACL) and we have a private forum where the moderators debate moderator activity. This cannot be shown to the rest of the users but the Activity list shows the titles of postings in the private forum. If someone clicks through the title they get an access denied message, but I think even revealing the titles is a no-no.
The activity table should only show things for which the current user has access rights to see.
Comments
Comment #1
reikiman commentedFWIW I'm on the latest Drupal 5.x release using Activity 5.x-3-beta
Comment #2
jaydub commentedBecause of the way the activity data is stored (for let's say a node or comment), there is no direct access to the node nid that could be used in the query to fetch activity to check for node access.
You could fetch results and do the filtering for node access after retrieving results but as that is in a pager query, you will end up with possibly fewer results than the pager limit.
Any thoughts from the module developers?
Comment #3
geodaniel commentedSubscribing to this, as it's very important from the point of view of social networks where people should be able to have private groups and not have that information leaked outside of those groups and/or outside their social networks.
Access control for OG, TAC, Access module, etc. (all done through node_access, I believe) should really be taken into account. In addition it would be great to be able to limit things to just people in your social network, so others can't see the activity.
Comment #4
jaydub commentedcross referencing with this issue:
#254632: Move node access checks to load instead of display
Comment #5
jaydub commentedI think the approach in the patch here is going to get what we need: #254632: Move node access checks to load instead of display
Comment #6
jaydub commentedAdded an access check to the display phase of the activity records. Please test out on a development snapshot (10/31 or later).
Comment #7
jaydub commentedClosing in favor of the issue referenced in #5