Not Respecting Node Access

I can confirm this bug. I'll look into fixing this and will post again if I have something.

Marking this critical because I think it should be fixed before any of the branches are tagged to be 1.0 stable.

Agreed, and thanks.

Can someone confirm the same problem happening with the core RSS feed? The reason I ask is Atom and RSS have the same query to the node table.

You're right. It looks like any promoted node that's published to the core rss.xml feed is visible, even to unprivileged users.

So... now what? 1) File a bug against core RSS, 2) "won't fix" this as a copy of core function, or 3) add node access as a feature? Is there a 4)? I don't have private content published to the front page on any of my sites, so from my more distant point of view, I'm leaning towards 1&3.

I'm not able to reproduce this so far. Could I get a step by step? What node types are viewable in the feed to unprivileged users? By unprivileged, I've been assuming you mean the "access content" right in the node content area of the access control page. What version of Drupal?

committed a fix to DRUPAL-4-6, DRUPAL-4-7, DRUPAL-5, DRUPAL-6-1, and HEAD.

1.22.2.1 is where the node_access was added for a quick workaround. It really ought to have a proper node_access implementation with rewrites. Re-opened because of #458034: Not yet moderated node found in atom feed! (modr8 or atom issue?).

Again posting patch here.

Ton of love has gone into the code recently. This has been fixed in the Drupal 6 branch, working on the DBTNG queries in the HEAD branch. Just going to mark this as fixed for now.