I created a new group, USADance-LA, and posted to it an event and agenda item. These nodes were NOT marked "Public", however, anonymous users could access them.
Posted issue here: http://drupal.org/node/204597
I know that if a node belongs to a group, but has taxonomy that matches a user, the user will be given access. In the case of the node posted to the USADance-LA group, First Board Meeting , nothing was selected in the "Categories" boxes, so the permissions should have defaulted to the Group realm, which only allowed "og_subscriber" to access the node. However, as noted before, ALL users could access the node.
So, I decided to look at the node_access table. I found this for the node in question, 3648:
According to this previous issue, the gid represents the rid when the realm is term_access. So, my immediate question was "What is giving causing node to give the grant_view permission to roles 0 (which is non-existent) and 1 (anonymous user)?
I then looked at the term_access table:
Apparently, rids 0 and 1 were being granted permissions on group nodes as a result of the first two lines of this query. I noted that I do not have a tid (term ID) = 0. So, this either represents something other than an actual term, or it's a mistake.
I decided to delete these two rows from the term_access table. After deleting them, I ran the "Rebuild Permissions" tool here:
That got rid of the rows in the node_access table, and the node itself is no longer publically available.
I have Taxonomy Access Control installed. I have had this site for some time, and have moved it (exported/imported data) at least once. My guess is that somewhere along the process, these grants were somehow added to term_access. My guess is that I probably should remove all non-existent tids from the term_access table, but I'm not sure. Will have to post this question on the TAC board.
(c) All Rights Reserved