I have set anonymous user not to access forums.

However, this seems to have only effect on the ability to access containers and forums.
Forum topic nodes themselves can still be viewed through tracker (or google) for example

To prevent this illegal backdoor access, I had to enable a second vocabulary for forum topics by wich I can prevent accessing the content nodes themselves.

Is that normal?

Comments

vm’s picture

why not use the forum access.module ?

jvieille’s picture

Title: Forum access » Forum access control does not protect forum topics

Changed the title

jvieille’s picture

Thanks for the info
I'll try it

jvieille’s picture

I found a simpler way because I really don't need a sophisticated access handling for forums - just an internal, simple communication tool.

Just add in the TAC permissions for anonymous all terms corresponding to all forums and block their access.
It works.

What I have difficulties to grasp with TAC is that it needs both positive and negative access permissions:
- granting a specific role to access something does necessarily not prevents another role to access it
- preventing a specific role to access something does not necessarily implies that all other will get throught.

(I guess this is because ot somewhat compete with Drupal core permission handling. The core has only one pemission to authorize the view of any type of content, so it has to be enabled

The only secure way is to do both...

xjm’s picture

Status: Active » Fixed
xjm’s picture

Status: Fixed » Closed (fixed)