Access
Taz - November 10, 2009 - 00:27
| Project: | OG Aggregator |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Taz |
| Status: | closed |
Description
An authenticated user can still access the feed-page at node/x/aggregator from any group if he only knows the nid of the group.
#1
Subscribing - and thanx for taking this to a new issue. I assume my analysis at http://drupal.org/node/611404#comment-2243932 was wrong, as you don't mention it here? Or was that part clear anyways to anyone else than me? ;)
Then: more questions, if you have the patience. Why version 6.x-1.x-dev and not 6.x-1.3? And finally I still see this as critical, but you know that so I am not going to overrule your judgement here. But would like to learn how to use Priorities correctly.
#2
Just a small patch, but it should ensure that viewing the feed page is checked against the viewing permissions of the group first.
#3
Thx, I successfully applied that patch on my testsite against 6.x-1.3 and can confirm that access is checked on the feed-site then. Cannot judge on code-level though, as I don't understand enough of it, yet.
#4
Thanks for the patch Geoff
Committed and a new release 1.4 has been made with these past few bug fixes.
#5
Automatically closed -- issue fixed for 2 weeks with no activity.