Program nodes that are unpublished can still be seen by any user, including anonymous users.

As far as I can tell, the problem is twofold.

First, hook_access adds a view case:

    case 'view':
      return user_access('access content');
      break;

Second, it has a default case.
According to the comments in node.module (see * @defgroup node_access Node access rights), module implementations of this hook should return NULL.

If I remove the 'view' case, then the switch statement falls out with 'administer programs', which is wrong too.

One quick fix is to replace the 'view' case with this:

    case 'view':
      return NULL;

but it's not very elegant, as the view case should simply not appear in this hook as we're not trying to do anything different to what ordinary nodes do for the view case.

CommentFileSizeAuthor
#3 station_254510.patch1.42 KBdrewish

Comments

drewish’s picture

drewish commented

is this only a problem in the 1.2 release or does it affect later versions?

joachim’s picture

joachim commented

I can reproduce with a fairly recent CVS 5.x branch. I've not set up a D6 with this yet.

drewish’s picture

drewish commented
Version: 5.x-1.2 » 5.x-2.x-dev
Status: Active » Needs review
StatusFileSize
new station_254510.patch1.42 KB

how about this?

drewish’s picture

drewish commented
Status: Needs review » Fixed

committed to HEAD.

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.