Creation of a forum topic restricted to an OG was sent out to all users with Notify turned on. Was not restricted to members of the group. They could not access the node, but the notification went out. Not good.

I had previously reported that the mere creation of a group also goes out via the Notify module. I submit that anything to do with a group should not be picked up by the notify module.

gil

Comments

Capnj’s picture

Capnj commented

Bumping.
This is a truly critical thing where Notify.module sends out both the creation of a group, and the creation of a topic in a group forum, to everyone getting notifications.

Not good because the mere existence of a group could be something intended to be kept private from non-members; and the creation of a particular topic within a group forum could be even more sensitive.

Bumping this because it did not seem to get any attention.

gil

RobRoy’s picture

RobRoy commented

Just took over notify. Will check into this.

RobRoy’s picture

RobRoy commented

The new DRUPAL-4-7 branch passes everything through node_load() and user access perms, so this should be working well now. Can you test it?

RobRoy’s picture

RobRoy commented
Status: Active » Closed (duplicate)

Duplicate of http://drupal.org/node/75858.