All feeds (seem to) ignore node access permissions. Nodes can be inaccessible on the site in every way, for certain access levels, but are happily revealed to un-authenticated users in the feeds.
The affected modules, AFAICT, are node.module and taxonomy.module. (Blog.module, aggregator.module, etc. Every core module that creates a feed really.)

Setting the feeds to Titles-only lessens the security loss, but the items shouldn't be included in the first place.

 

I thought inserting :

    $item = node_load($node->nid);
    $link = url("node/$node->nid", NULL, NULL, 1);

+    if (!node_access('view', $node)) {
+      continure;
+    }

    if ($item_length != 'title') {
      $teaser = ($item_length == 'teaser') ? TRUE : FALSE;

on line 1417 of node.module (in the node_feed function) would do the trick.
Alas, it does not seem to help.

Comments

killes@www.drop.org’s picture

killes@www.drop.org commented

What kind of node access module do you use?

BachusII’s picture

BachusII commented

The normal ones (provide in a default install) + taxonomy_access.module.

I have not been able to exclude nodes from the feeds in any way.
The node_feed function does not seem to have any call to the node_access function.

 

Btw; Typo in my example. That should be continue, not continure.

killes@www.drop.org’s picture

killes@www.drop.org commented

That might be a bug in the taxonomy_access module. The code in node_feed properly encapsulates the database query in db_rewrite_sql.

BachusII’s picture

BachusII commented

I just (re)tried with the taxonomy_access.module deactivated and disabled.
The problem persists, and worse than before.

/taxonomy/term/TERM_ID and /taxonomy/term/TERM_ID/0/feed list the items, including teasers (which is configurable, I know).
And so do / and /node.
When I click one to view it, only does Drupal complain about that nodes permissions (as defined and configured per that nodes module.)

So, the problem is not necessarily in the feed functions, but in the functions that create a list of nodes to display (on a page, or on a feed)
Which does raise a couple of questions;

    .
  • Why do the access controls of taxonomy_access.module not work for feeds?
    Not the problem of Drupal core developers. But the developers behind taxonomy_access should be notified.
  • Is it (in general) the right behaviour to include inaccessible nodes (and their teasers) in dynamic node listings? Or should they not be included?
    In my opinion not.
  • Should the previous conundrum be an option in the settings? If yes, what should be the default?

As far as Drupal core goes the priority of this issue could be lowered, agreed?

killes@www.drop.org’s picture

killes@www.drop.org commented

If you disable taxonomy_access no node access checks will be performed beyond the general "access content" permission.

I think this issue should be moved to the taxonomy_access module.

I have reports that access control for RSS feeds does work with other module.

BachusII’s picture

BachusII commented
Project: Drupal core » Taxonomy Access Control
Version: 4.7.2 » master
Component: node system » Code

I strongly believe showing teasers for, even the links to, inaccessible nodes is the wrong behaviour.
In my opinion the "general access" permission controls are lacking in that regard.

I agree this is no Drupal core issue.
Thanks for helping sort this out so far.

pwolanin’s picture

pwolanin commented

Are you sure you have TAC configured properly? If I put in a URL for a restricted feed like:

www.example.org/taxonomy/term/39/0/feed

or

www.example.org/taxonomy/term/39

I just get the error page unless I'm logged in.

BachusII’s picture

BachusII commented
Priority: Critical » Minor

Crap, yesterday I had consistent results now I can't seem to replicate it anymore. I hate when that happens.

Btw; It does seem to share some symptoms with http://drupal.org/node/56393

Anyway, I'll keep an eye on it. If nothing occurs in the next couple of days we can close this issue.

keve’s picture

keve commented

If problem persist, please try it on a fresh install on your system and provide a procedure how to regenerate the bug. For me the feeds seem to work well.

BachusII’s picture

BachusII commented
Status: Active » Closed (fixed)

(This is a (near) vanilla installation. I'm currently setting up.)

No recent problems. I guess it was a anomaly in the access tables.