Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.This is probably similar to the issues about unpublished nodes. I have a site using forum module and forum access to make some of the forums private (e.g. to the moderators). Posts made on the private moderator forum are being tweeted to my twitter account. This could be a disclosure of information that needs to be private but fortunately it's only the post title which is tweeted. Still the post title in a private forum could still disclose information which needs to be private.
I notice in twitter.module's nodeapi hook that there is no check for whether anonymous can access that node.
I believe the requirement should be that tweeted information has to be accessible to anonymous, and that nodes inaccessible to anonymous should not be tweeted.
It's not clear from the node_access documentation what to pass as the $user argument but the solution is likely to surround the nodeapi hook view section with
if (node_access('view', $node, ...anonymous..)) { .. current code .. }
Comments
Comment #1
steinmb commentedIs this still an issue?
Comment #2
davidneedhamNo reply.