Download & Extend
Node Access » Issues

Can access to fields of not available node.

Posted by chebrushaka on August 18, 2009 at 11:56am
Project:Node Access
Version:6.x-1.8
Component:Code
Category:bug report
Priority:critical
Assigned:Unassigned
Status:active
Issue tags:Node_access does not integrate with files or any other modules

Issue Summary

Hi.
I found some problem.
When i set off "view" permission for anonymous user for node
i still can access to images and files (CCK fields) of this node by URL.

Example:
Node http://site/node/87 is not available for anonymous, but
image http://site/system/files/images/fil12.tmp_.png?1250592301 is available.

Is its bug or i do something wrong?

P.S. Download method in fylesystem settings is set to "private".

Login or register to post comments

Comments

#1

Posted by chebrushaka on August 18, 2009 at 2:59pm
Status:active» needs work

#2

Posted by emptyvoid on August 18, 2009 at 5:37pm
Status:needs work» closed (won't fix)

This is not a bug, the system does not integrate with cck, upload module, or the local file system. if you wish to hide access to files you will need to extend the upload module and or set the files on the server to only be accessible by specific user accounts other than apache (and or everyone).

Sorry.

#3

Posted by Jody Lynn on May 6, 2011 at 9:42pm
Version:6.x-1.7» 6.x-1.8
Status:closed (won't fix)» active

The fact that a Drupal module does not integrate with most of core Drupal is not only critical, but something that potentially users should be warned about on the project page. It is potentially a security issue as well, because it breaks the core private files system and gives access to files on nodes which it claims to be protecting.