Permission heritage [#286525]

I has been playing with Forum Access now for some time, but not until yesterday I discovered a big security problem.

I have Forums protected so that only users members of the role members can see and post in our "internal" forums there, and they do not see the forums.

But...

If any user of members are posting a new topic / creating a new thread they will be visible to anyone even without login.

I am using also Advanced Forum, and as a clue I see that the working "forums" are using Advanced Forums template, but the other ones that Forum Access are letting though the access control are using the generic template design of the site.

Does anyone have any idea about this ?

Sincerely
Roberth Andersson

Comments

Comment #1

Roxpace commented 24 July 2008 at 01:25

Sorry, I didnt explain the title of my post here, it feels like the Forum Access permissions are not heritaged or something else in Drupal are messing up with Forum Access and makes it very unsecure in this solution.

Sincerely
Roberth Andersson

Comment #2

salvis

he/his

commented 24 July 2008 at 12:46

Status:

Active

» Postponed (maintainer needs more info)

FA 6.x-1.x-dev is a BETA version — it is not released for use on a production site.

Also, up to the recent release of Drupal 6.3, the node access core functionality was broken anyway (see see the "open issues" on the front page), and I haven't had time to reevaluate the situation yet.

So, if you're not using D63 yet, your first step is to upgrade Drupal. Your second step is to follow the directions that were displayed when you posted this issue.

Comment #3

Roxpace commented 24 July 2008 at 22:32

Never said that I am using it for production site and of course using the latest Drupal 6.3 due some circumstances like security.

And now when I am using 6.3, where do I find those directions you were talking about ? All I could find was to something pointing to earlier Drupals and 7.x.