Views such as "Latest blog post comments" don't fully enforce the node access system and display the titles of comments and paths of nodes to which the user does not have access, such as nodes in a private group.

These views check that nodes are published and that the user has the "access comments" permission, but not more general node access (such as OG node access control).

CommentFileSizeAuthor
commons-comments-node-access.patch56.07 KBezra-g
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

laurentc’s picture

laurentc CreditAttribution: laurentc commented
Status: Needs review » Reviewed & tested by the community

Reviewed and tested.
Thanks for the patch

ezra-g’s picture

ezra-g CreditAttribution: ezra-g commented
Status: Reviewed & tested by the community » Fixed

Thanks for the review. This is committed: http://drupalcode.org/project/commons.git/commit/32b4c4f

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.