Is/node available? --- Security risk!

Please refer to: http://drupal.org/node/1033574#comment-5365118

This error might not be relevant to you at all. If you have created a custom homepage and set it to be the default homepage in /admin/settings/site-information (all the way at the bottom) then it is relevant.

The solution is simply to unset the standard 'node' page using a hook_menu_alter() and the warning will go away.

In writing this response, I'm reopening the issue and marking it as a bug, as I should add an additional check before issuing this security alert:

  function _prod_check_node_available() {
    [...]
    $result = MENU_NOT_FOUND;
    $frontpage = variable_get('site_frontpage', '');
    if (!empty($frontpage) && $frontpage != 'node') {
      $result = menu_execute_active_handler('node');
    }
    switch ($result) {
      [...]
    }
    [...]
  }

Since it is not an issue when actually using the default /node homepage.

Or maybe better avoid running the check alltogether if the default /node page is actually used? Not sure yet though:

  function _prod_check_functions() {
    [...]
    $frontpage = variable_get('site_frontpage', '');
    if (!empty($frontpage) && $frontpage != 'node') {
      $functions['security']['_prod_check_node_available'] = 'Is /node available?';
    }
    [...]
  }

In short: check /admin/settings/site-information (I assume you're on D6, given the issue state) and see if the Default front page field is empty or set to 'node'. If that is the case, then you can ignore the warning

No, then you should implement the hook_menu_alter() to unset() the /node path.

Applied to all branches. Used a different approach though.

If this is so common case why not to provide this override in production check module and make it customizable on prod check settings page?
Also is this applies to Drupal 7 or there is another way to "turn off" /node page? If yes, can I change version of this issue to 7.x?

An attempt to draw more attention! :)

I thought about integrating this in prod_check, but however silly and small it is, it really has no place in this module. This would open the door to adding other stuff like this to prod_check, while prod_check's only task is to perform checks and inform you about the status of your setup. That's it :)

Just add the hook to one of your custom modules:

function mymodule_menu_alter(&$items) {
  $items['node']['access callback'] = FALSE;
}

or even better in my opinion:

function mymodule_menu_alter(&$items) {
  unset($items['node']);
}

Clear the cache and you're good to go.

@malc0mn

Thank you for quick reply and the proposed solution!

I created simple module for Drupal 7 which disables 'node' page when it's not a site's frontpage:

http://drupal.org/sandbox/onkeltem/1805684

See first comment in this thread :-D

@malc0mn

Lol :)