Notify sends unauthorized information [#75858]

I have Notify enabled on my production site. There are various nodes that are restricted by the combination of Category and cac_lite.

I ran a cron job for the first time to re-index the search capability and the notify emails that went out included links to nodes which are not accessible to various users.

Obviously, when they click on the links, they go to the "unauthorized" page set up on the site.

This may have been fixed, as there have been many changes to this module since my installation, which is 4.7

Comments

Comment #1

RobRoy commented 2 August 2006 at 16:22

Do you have the latest version of notify 4.7? I've made some changes so try that first and then report back. Hopefully it's not still an issue.

Comment #2

drupal777 commented 3 August 2006 at 03:36

No, I'm using 20/4/2006 4.7.0, not anything newer. I don't have the ability to test it easily at the moment as my test site is fubared and I'm a bit reluctant to test it on my production site. I suppose if nobody else is having this problem I should just leave it enabled only for site administrators. If I get a chance to run a test with cvs 30/072006 I'll post back. I think the issue should remain open until somebody confirms it is no longer a problem.

Comment #3

RobRoy commented 11 August 2006 at 19:54

Status:

Active

» Fixed

I hadn't merged the changes from HEAD to DRUPAL-4-7, so it should be working now. Marking as fixed. Please set to active if this is not the case.

Thanks!

Comment #4

(not verified) commented 25 August 2006 at 20:01

Status:

Fixed

» Closed (fixed)

Comment #5

magnusprime commented 13 September 2006 at 03:18

Version:		» 4.7.x-1.x-dev
Status:	Closed (fixed)	» Active

As stated here: http://drupal.org/node/81113.

I have created a new content type using the ContentO module, and set permission to only a certain role. However, ever user role gets notified of that new content. This is using the 4.7 version posted on drupal.org as of 1 week ago.

I have not tested the CVS version yet, that is planned for this week.

Comment #6

magnusprime commented 25 September 2006 at 18:02

I tested the cvs version. Same results. Could it be that the contento module does not truly follow/implement dupal's permission?

Comment #7

RobRoy commented 26 September 2006 at 16:32

You're saying that userA doesn't have access rights to node ID 4 for example, but that content is getting mailed out with Notify. Can you try this for me: log in to the site as userA and go to node/4 or whatever. Do you get an access denied/not found page or can you see the node?

Comment #8

magnusprime commented 28 September 2006 at 13:54

hmm... I know what the issue is now...

I apologize for thinking its the Notify module.

After looking at it again, and how the permissions are set, since that user has node access rights, and the new content is just a node, they have access to it. So, the Notify module is working fine.

I need to fine tune the access rights more, and use a custom node that does allows me specify role access for that node type. They dont see the menu that the content belongs to, but if I navigate directly to the node, its there.

Comment #9

RobRoy commented 28 September 2006 at 17:31

Status:

Active

» Closed (fixed)

Okay, I'm closing this. Please re-open this if anyone comes across this error again. Thanks for the feedback!

Notify sends unauthorized information

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

News items

Our community

Documentation

Drupal code base

Governance of community