The tracker.module does not appear to filter content according to taxonomy_access or node_access_byrole permissions, whether they are enabled at the same time or independently. I covered the problem fairly well in http://drupal.org/node/28653.

The recent posts page shows all content from the site, allowing users to see every post, whether they have access to it or not. This allows a user to gain "back door" access to certain taxonomies that should otherwise be restricted. This is one of the few modules that does not make use of the taxonomy_access permissions.

Comments

killes@www.drop.org’s picture

killes@www.drop.org commented
Status: Active » Closed (won't fix)

that is probably a bug in the referenced module. Didin't find a bug in tracker.module.