create forum topic allows access to forums forbidden by taxonomy access

Drupal Version: 4.6.5
Taxonomy Access Version: 4.6.0(?) (files dated April 2005)
DB: MySQL

Behavior: User must have the right to create a forum topic in *some* forum. With that authority, he can get to the create forum topic page and then change the destination topic to be *any* forum.

Currently, I have created the following levels of user access:

anonymous - can view some forums but not all
registered - can post to the forums that anonymous users can view
club member - can view/post to a special "members only" forum
author, club officer, adminstrator - rights to create other kinds of content.

So, basically, registered users are able to click "create forum topic" then select the member's only forum.

Further update -

the forum is visible (just empty) to users who aren't supposed to be able to view them. Clicking on the link to the forbidden forum, you get an empty page. From that page, you are permitted to add new topics to the forum.

In other words, it's as if they have create rights, but not view rights to the "members only" forum.

Looking at the "access control" page for authenticated users, they should have no rights at all to that forum.

This is odd because I'd swear that when I first tried taxonomy access, the members' only forum was completely invisible to people without the rights to see it.

I've downloaded and installed the newest taxonomy access and there is no change in behaviour - any user who can create a forum topic can also create topics in forums they do not have access to.

I did try chasing this down myself, but I can't figure out how the drop down menu of forum names gets built - it calls taxonomy_node_form() which calls taxonomy_form(), which calls taxonomy_get_vocabulary(), etc.. but none of this seems to interact with the taxonomy_access code or tables.

Am I missing something?

Yes, I'm using

// $Id: taxonomy_access.module,v 1.47.2.13 2006/03/07 07:53:46 keve Exp $

i patched it when I first installed taxonomy_access - I will re-apply the current patch and see if it makes a difference.

Applying the patch explicitly was rejected, but copying the taxonomy.module.patched over top of the taxonomy.module does seem to have changed the behavior.

As I mentioned in the original report, this did originally work and then later stopped (but it might have been a while before I noticed it had stopped working) - I wonder if one of the updates back last year stomped on the old version?

In any case - thanks for your patience; I'm going to cross my fingers and hope this solves the issue and doesn't introduce any other problems.