When you make nodes that are private, RSS feed as
it is now, will spread the private info in the feed and
there is no way to turn it off.

There is a Sep 8,'08 patch available here to at least turn it off:
http://drupal.org/node/198129#comment-1000799
Designed from Drupal 6.4, jkmikelson reports that it works for
Drupal 6.6

This is a Security issue that should be in the Drupal 6 code base.

This issue is already listed for Drupal 7.x-dev here:
http://drupal.org/node/28337

I recommend that this be implemented not just to turn it off but
to selectively turn it off based on permissions. or at least the simple
turn it on/off for anonymous viewable content only.

Comments

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Status: Active » Closed (duplicate)

Please don't make a duplicate issue since 6.x and 5.x only accept bug fixes. Concentrate efforts in #28337: Add permissions to disable RSS feeds so we can get it fixed in 7.x and possibly backport to a contrib module.

mainebob’s picture

mainebob commented

Thanks Dave, AND Aren't "SECURITY" issues bugs? Doesn't it make sense to fix this for the version used by the largest number of the Drupal community (V6) so that they can benefit NOW.....and then PORT IT FORWARD to version 7 which my guess is it will be at least 6 months until it is ready for most of the community to use? -Bob

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

It's not a security issue in regards that it allows someone can hack and damage your site, it's a feature request. Unfortunately the policy is that feature requests and API changes (like this would be) can only be accepted into the development version of Drupal. This could easily be accomplished as a contrib module.