Node reference field's select list shows unpublished nodes

This is by design. Being able to reference unpublished nodes is a feature, especially when staging content.

The field settings let you use a View to specify referenceable nodes. You can configure the view to filter out unpublished nodes, if you prefer that.

The problem as I understand it - which I have too - is that when you expose a nodereference field as a filter in a view, the resulting select list includes field content from unpublished nodes. Filtering the view to display only published nodes does not affect the nodereference filter.

The list of referenceable nodes only lists nodes that the current user is allowed to see - that might include unpublished nodes, since, depending on the user permissions, some users can see unpublished nodes (sometimes all of them, sometines only their own, depends on the perms they have).

So the exposed filter shouldn't list anything the current user isn't allowed to see anyway.

Well then, I think we have a bug.
I have a view with a node reference displayed as a filter.
Anonymous users don't have access to unpublished content, but the filter [not the view result] shows unpublished nodes which they can use to filter the view.

Views exposed filter is getting node list from the same function as node association form element.

I needed to hide unpublished nodes from users who use exposed filter, so I changed file node_reference.module

references version: 7.x-2.x-dev (2011-10-10)
file: node_reference.module
line: 803 (before $result = $query->execute()->fetchAll();)
new code:
if(!user_access('view all unpublished content')){
$query->condition('n.status', 1, '=');
}

I'm noticing this same bug in Views 6.x-2.16.

I am experiencing the same problem with Views 6.x-2.16.

Whether it's by design or not, does anyone know of a way to override it? Perhaps with a custom module using hook_form_alter?

Thanks.

@Kimberley_p: Actually, I did find a way to override it. You just need to have the Views module enabled. You just have to create a View that lists only the nodes you want to display -- for example, create a view that lists the titles of published nodes only. Then edit the CCK nodereference field. At the bottom of the edit form you'll see an expandable link titled "Advanced - Nodes that can be referenced (View)," and use it to select the View you just created. I'm attaching a screenshot showing how I did this on my site.

I still think it's a bug to have Views by default display titles of unpublished nodes in exposed filters that are accessible to users who are not supposed to have permission to see unpublished content. It's a big of a security hole, although it is mitigated by the fact that users still can't click through to the full node. However, it creates at least the possibility of embarrassment. Suppose, for example, that someone decides to create unpublished test content on their website and gives the content a silly name.

Sheldon - thanks very much for the response. I have created a view and added it to nodes that can be referenced on the field and it works! This is the good news, the bad news is that instead of taking the node out of the list, it leaves a blank space where it would have been that still links to it - so basically, it just takes out the title and leaves the link. I have attached a screenshot. Will let you know if I find a fix.

Kimberley, the latest problem as you've described it doesn't happen on my website. Maybe you need to modify the view that you've created.

Sheldon, I think you're right as installing views hacks and limiting the view to those in the result set takes out many more nodes but still leaves blank spaces. I think this is a seperate problem - so thanks for fixing my original one!