Index: directory.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/directory/directory.module,v
retrieving revision 1.11.2.20
diff -u -p -r1.11.2.20 directory.module
--- directory.module	30 May 2007 12:40:49 -0000	1.11.2.20
+++ directory.module	31 May 2007 05:11:32 -0000
@@ -831,8 +831,9 @@ function directory_taxonomy_term_count_n
   $modified = FALSE; // We keep track of modification of $count, to check whether we need to save it to DB.
 
   if (empty($count)) {
-    $count = cache_get('taxonomy_term_count_nodes', 'cache_page');
-    $count = unserialize($count->data);
+    // DEBUG -- 
+    //$count = cache_get('taxonomy_term_count_nodes', 'cache_page');
+    //$count = unserialize($count->data);
   }
   
   if (!isset($count[$type])) {
@@ -844,11 +845,13 @@ function directory_taxonomy_term_count_n
     // making sure there is no duplicate.
 
     // $type == 0 always evaluates TRUE if $type is a string
+    // FIXME: is db_rewrite_sql necessary here? See also http://drupal.org/node/147063. Yet, the db_rewrite_sql was in the original core function.
+    // Those queries count all nodes, regardless how many nodes the user has access to.
     if (is_numeric($type)) {
-      $result = db_query(db_rewrite_sql('SELECT t.tid, n.nid FROM {term_node} t JOIN {node} n ON t.nid = n.nid WHERE n.status = 1 '));
+      $result = db_query(db_rewrite_sql('SELECT t.tid, n.nid FROM {term_node} t JOIN {node} n ON t.nid = n.nid WHERE n.status = 1', 't', 'tid'));
     }
     else {
-      $result = db_query(db_rewrite_sql("SELECT t.tid, n.nid FROM {term_node} t JOIN {node} n ON t.nid = n.nid WHERE n.status = 1 AND n.type = '%s'"), $type);
+      $result = db_query(db_rewrite_sql("SELECT t.tid, n.nid FROM {term_node} t JOIN {node} n ON t.nid = n.nid WHERE n.status = 1 AND n.type = '%s'", 't', 'tid'), $type);
     }
     while ($item = db_fetch_object($result)) {
       if (!isset($count[$type][$item->tid])) {