This occurs irrespective of any permissions settings, which seem to be completely ignored.

I have tested this systematically using a few authenticated users,
all can read all other private nodes, including those from admin !

Anonymous is correctly blocked.

BTW I have no other access modules installed.

Please if this is not a bug explain how to change this behavior,
or point to documentation that explains that it should behave thus,
otherwise it is a clear security flaw.

Glad for advice.

Comments

webel’s picture

webel commented
Status: Active » Closed (duplicate)

Accidental double-submission of #349735: All authenticated users can view all private content from all other authenticated users, including the admin's private pages, may be deleted.