I have Menu Access installed on several sites and have the following problem on every site that uses it.

Every time I click on the "Save configuration" button in Site building > Menus > Menu Access Settings or Menu Item Access Settings, anonymous users are immediately denied access to the site. I then have to log in to the database and fix the node_access table which is suddenly empty.

This happens even if I haven't made any changes and simply click on the "Save configuration" button.

I have the Per menu access control settings checked for Enable per menu access control settings. The Default access control settings are set to allow anonymous and authenticated users to view and only the content editor to edit or delete.

It happens even though the User management > Permissions > menu_access module and menu_item_access module are set to allow anonymous and authenticated users to access menu items.

Why does saving the configuration wipe out the node_access table content and deny anonymous users access to any pages on the site? Can this be fixed?

I'm using Drupal 6.19 on an Apache server with MySQL 5.1.47 and PHP 5.2.14.

Thanks.

Comments

WesleyTx’s picture

WesleyTx commented

I'd like to report that I'm getting the same problem. This is the first time I've tried this module and I get the same results as stated above.

emptyvoid’s picture

emptyvoid commented
Assigned: Unassigned » emptyvoid

I would assume that the newest releases of Drupal 6.x have changed how access rights are managed. I will need to review the module and determine the best course of action to update the business logic. Now that I have CVS access again, expect updates and a patch soon.

Thanks for provide the information.

dstotijn’s picture

dstotijn commented

Maybe it's a good idea to post a warning on the module page about this situation? I think a lot of people just proceed with installing and configuring on the newest Drupal 6.x releases without backing up first because they see the green 'stable' status and a solid number of reported installs. Might save a lot of people from tearing their hair out.

Thanks for your work, very much appreciated! :)

mesr01’s picture

mesr01 commented

You guys probably tried it already, but it's worth mentioning here: I stumbled on what looks to be the same problem and by reading your posts, I thought about rebuilding the permissions (logically located in "Post settings" ;-). Basic stuff, one would say! It actually solved the problem for my site.

ratinakage’s picture

ratinakage commented
Priority: Major » Critical

The same thing happened to me.

Luckily I found this thread quickly and rebuilt my permissions. admin/content/node-settings/rebuild

I would definitely say this module should no longer show up as released as people might make the same mistake which pretty much takes down your entire site.

emptyvoid’s picture

emptyvoid commented

I am hesitant to make the permissions be rebuilt every time an administrator saves a menu or menu item.

When using this module I routinely clear the cache, run cron, and rebuild the permissions. This is required while configuring and testing any security policies. Once the policies were completed I saw no issues with access.

This module is an advanced module for developers and systems administrators and requires precautionary measures when installing, enabling, and disabling. Such as making database backups before and after applying security policies, source code backups may also be prudent as well.

http://drupal.org/node/839648

ratinakage’s picture

ratinakage commented

How about a warning that comes up every time you save the menu item warning you that you should rebuild your permissions?

@emptyvoid - What if you were making this change on a live busy site? After saving the change to a relatively small menu item, you would need to very quickly go and rebuild your permissions. If you didn't do that for a minute, that would be one minute in which all your users would get "Access Denied" errors. Seems like this is not a viable solution for busy sites.