Not Respecting Node Access
sami_k - May 4, 2006 - 05:59
| Project: | Atom |
| Version: | 4.7.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
This module isn't respecting node access in that its making titles available of nodes not available to anonymous users.
#1
I can confirm this bug. I'll look into fixing this and will post again if I have something.
#2
Marking this critical because I think it should be fixed before any of the branches are tagged to be 1.0 stable.
#3
Agreed, and thanks.
#4
Can someone confirm the same problem happening with the core RSS feed? The reason I ask is Atom and RSS have the same query to the node table.
#5
You're right. It looks like any promoted node that's published to the core rss.xml feed is visible, even to unprivileged users.
#6
So... now what? 1) File a bug against core RSS, 2) "won't fix" this as a copy of core function, or 3) add node access as a feature? Is there a 4)? I don't have private content published to the front page on any of my sites, so from my more distant point of view, I'm leaning towards 1&3.
#7
I'm not able to reproduce this so far. Could I get a step by step? What node types are viewable in the feed to unprivileged users? By unprivileged, I've been assuming you mean the "access content" right in the node content area of the access control page. What version of Drupal?
#8
committed a fix to DRUPAL-4-6, DRUPAL-4-7, DRUPAL-5, DRUPAL-6-1, and HEAD.
#9
Automatically closed -- issue fixed for two weeks with no activity.