Lists per Content Type are exposed to public
| Project: | Content Access |
| Version: | 6.x-1.1 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | by design |
| Issue tags: | access control, content types |
Jump to:
I have all Content Types set to disallow public access --- that is, by Anonymous User. Of course, I explicitly allow access to my home page and a handful of other pages.
The bug is that the overview listings for each Content Type, such as ".../blog" and ".../event/1" are themselves exposed. In fact, Google has picked them up, so the world can see sensitive things like the names of some users. Clearing the cache and rebuilding permissions have not cured this bug.
Such pages seem to have no identifiable Content Type themselves; even module "Devel node access" generates no table for them. So perhaps module "Content Access" misses them too.
I do have Organic Groups and its supplements installed, with OG blogs and events enabled but 100% private. Again, it's exposure of overview listings I'm reporting here, and those are generated not by OG but by Core.
#1
You should still pick a node that you can see on such an overview page, and report the DNA information for that node.
#2
This is no bug of content access, much more a bug of the modules creating the pages. Usually there are permissions for such things.
#3
If the names of the posters are exposed, it means either that the modules creating the overview pages don't run their list queries through db_rewrite_sql() (a bug in those modules) or that content access is not configured properly.
The OP hasn't provided sufficient information to tell what we have here.