| Case number: | 800-31 |
| Project: | Drupal Module Issues and Modifications [1] |
| Opened by: | somebody |
| Status: | Open |
| Assigned: | somebody |
| Priority: | 1-High |
| Type: | General Task |
| Opened on: | Monday, December 31, 2007 - 3:28pm |
| Last modified: | Tuesday, January 22, 2008 - 9:35pm |
I created a new group, USADance-LA, and posted to it an event and agenda item. These nodes were NOT marked "Public", however, anonymous users could access them.
Posted issue here: http://drupal.org/node/204597 [2]
I know that if a node belongs to a group, but has taxonomy that matches a user, the user will be given access. In the case of the node posted to the USADance-LA group, First Board Meeting [3] , nothing was selected in the "Categories" boxes, so the permissions should have defaulted to the Group realm, which only allowed "og_subscriber" to access the node. However, as noted before, ALL users could access the node.
So, I decided to look at the node_access table. I found this for the node in question, 3648:
According to this previous issue, the gid represents the rid when the realm is term_access. So, my immediate question was "What is giving causing node to give the grant_view permission to roles 0 (which is non-existent) and 1 (anonymous user)?
I then looked at the term_access table:
Apparently, rids 0 and 1 were being granted permissions on group nodes as a result of the first two lines of this query. I noted that I do not have a tid (term ID) = 0. So, this either represents something other than an actual term, or it's a mistake.
I decided to delete these two rows from the term_access table. After deleting them, I ran the "Rebuild Permissions" tool here:
That got rid of the rows in the node_access table, and the node itself is no longer publically available.
I have Taxonomy Access Control installed. I have had this site for some time, and have moved it (exported/imported data) at least once. My guess is that somewhere along the process, these grants were somehow added to term_access. My guess is that I probably should remove all non-existent tids from the term_access table, but I'm not sure. Will have to post this question on the TAC board.
Update (2007-01-12):
After I updated to Drupal 5.6, I noticed that I now have the same problem again. When I query the term_access table:
select * from term_access where tid = 0
I still see:
| tid | rid | grant_view | grant_update | grant_delete | grant_create | grant_list |
|---|---|---|---|---|---|---|
| 0 | 0 | 1 | 0 | 0 | 1 | 1 |
| 0 | 1 | 1 | 0 | 0 | 1 | 1 |
| 0 | 2 | 1 | 0 | 0 | 0 | 0 |
| 0 | 3 | 0 | 0 | 0 | 0 | 0 |
| 0 | 4 | 0 | 0 | 0 | 0 | 0 |
| 0 | 5 | 0 | 0 | 0 | 0 | 0 |
| 0 | 6 | 1 | 0 | 0 | 0 | 0 |
| 0 | 7 | 1 | 0 | 0 | 1 | 1 |
| 0 | 8 | 1 | 0 | 0 | 1 | 1 |
So, I'm entering:
delete from term_access where tid = 0 and rid = 1
And rebuilt node permissions: http://www.centralavedance.com/admin/content/node-settings/rebuild [7]
That did it.
Nope. Now, authenticated users who are NOT a member of the group can still see Group content. That isn't good either. Think I need to delete the rid = 2 also:
delete from term_access where tid = 0 and rid = 2
Rebuilt node permissions in Post Settings [8] .
Logged in as "usadancela" which is awaiting subscription approval in USA Dance LA group. Can NOT see the non-public group posts.
Approved "usadancela" for USA Dance LA group. As "usadancela", I can now see group content. Excellent!
Question: What keeps putting in those tid = 0 and rid = 1 & 2 term_access records?