Modules:
Drupal Core 7.15
Advanced Forum 7.x-2.0
Forum Access 7x-1.0

All of my forums are generally accessible to all authenticated users. I have a forum called "Moderator Discussion" which is limited to people who are in the "Moderator" role. (This is separate from the moderator users in Advanced Forum) The access control for this is set to allow only moderators and administrators being able to view and post in the forum.

My problem is that a non-moderator user searches the site, the search results include posts inside the Moderator Discussion forum. The results appear along with the summary/teaser of the post. This allows everyone to view some of the private contents of this forum which is undesirable to say the least. :) If the user were to click through to the post, they correctly receive a permission denied, so that is working perfectly.

It seems as if there is no filtering on the search results to hide things that the user had no permission to view, but I'm not that familiar with the hooks associated with search and filtering search or what Forum Access is or is not doing.

Any advice/suggestions/patches?

Thanks,
--Joel

Comments

salvis’s picture

Please try to temporarily disable Advanced Forum and check whether this still happens.

I'm running a production site without AF and I've just confirmed that Search is being restricted correctly on that site.

salvis’s picture

I've just done some testing with AF and I haven't been able to find any leaks.

What Search are you using?

joelrichard’s picture

Sorry for the delay in responding. I was traveling...

I'm using the standard, built-in Drupal search. Nothing special about that part. But now that I look more closely...it looks as if content_access module is interfering with this. Your documentation is accurate:

Besides Forum Access (and ACL) you have installed the following node access module(s):
content_access
The grants of every module are combined for each node. Access can only be granted, not removed — if a certain module grants a permission, the other(s) cannot deny it.

So I disabled the appropriate settings for my Forum Content Type for Content Access and I -believe- things are working as expected.

Sorry for the trouble. Chalk this up to RTFM. I will leave you to update the status of this request. :)

salvis’s picture

Category: feature » support
Status: Active » Fixed

Great, thanks for letting us know.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.