Posted by keppi on May 21, 2008 at 11:26am
| Project: | Taxonomy Access Control |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs work |
Issue Summary
Hi,
I've noticed that a user who has TAC settings denying access to forums, can still view the name of any forum by using the direct clean url's to them. I.e. http://example.com/forum/2
This might mean leaking bits of information to users it isn't meant for. Probably not a big issue for most people, but would be nice if it can be fixed.
Comments
#1
I've had the same issue - I dealt with it by also adding on the Forum Access Control module. I don't think TAC can hide this because the main forum pages are not nodes, and I don't know of any way of supplying a forum page with a taxonomy term. It would be nice though if I didn't have to use an additional module just for this one feature. Does anyone know a simpler way?
#2
subscribing…
#3
#4
I'm on the fence as to whether this is within the scope of TAC. If anything, we'd probably want to add this in its own .inc file for the forum module only.
#5
#366270: Forum access control does not protect forum topics is also about TAC + forum.
#6
I dunno where you should put it, or how exactly to implement it, but this is a good feature.
Users who don't have access to the nodes in a forum still have access to the forum name and description by going directly to forum/12 or taxonomy/term/12.
Is this a forum.module bug? Direct access to a non-forum taxonomy list (i.e. taxonomy/term/15) is restricted correctly. Why doesn't the automatic redirect from taxonomy/term/12 to forum/12 make an access check?
The patch at #3 applied cleanly to 6.x-1.2 and solved the problem for now. Thanks.