All biblio nodes are visible to all users, including anonymous users, despite being unpublished - I have tried this on three different installations (5.x). This causes serious problems with access control.

Steps to reproduce, no 1:
- create biblio node, but untick the "published" box
- log out of Drupal
-> node still visible

Steps to reproduce, no 2:
- go to an existing biblio node
- edit it and untick the "published" box
- log out of Drupal
-> node still visible

Comments

rjerome’s picture

rjerome commented

Indeed, that was fixed in the -dev version but not propagated to any official releases yet. Is there a reason you are running 1.9?

If you want to fix it in the 1.9 version, go to the biblio_access function and change

  if ($op == 'view') {
    if (variable_get('biblio_view_only_own', 0) ) {
       if (  $user->uid == $node->uid ) {
         return true;
       }
       else{
         return false;
       }
    }
    else{
       return true;
    }
  }

to look like this...

  if ($op == 'view') {
    if (variable_get('biblio_view_only_own', 0) ) {
       if (  $user->uid == $node->uid ) {
         return true;
       }
    }
  }
Anonymous’s picture

Anonymous (not verified) commented
Version: 5.x-1.9 » 5.x-1.15
Status: Active » Fixed

Thanks for the update, RJerome - especially for the quick reply! And sorry for the confusion, I am indeed using 1.15. I have made the change in the module and it is working now. Thanks again for looking into this!

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.