Anonymous users can see cases without access actually granted!

This is also true for 5.x-1.1. Am I supposed to open new ticket or just to change the version number of this thread?

Not sure, but I am changing the topic and version of the module, since the problem in initial ticket (that was open in November) persists to apparently all the versions. I tried both of 5.x-1.1 and 5.x-1.x-dev and both version have the same problem - anonymous users can see case pages even without being granted such an access.

Probably, this alarm is false and could be at all not related to the module. What I did now is I checked off access to content for anonymous users, but they still can see block contents. They can not access nodes, but can see all the blocks. Does this mean that my access table is screwed up? If yes, then status of this thread should be changed.

Well, I had more time today to test and reconfirm that the problem is in the module. I have tested both 5.x-1.1 and 5.x-1.x-dev and both of the version content is available to anonymous users regardless to whether they (anonymous users) have been or not granted access to the module.

You can add this code to casetracker_basic.module (casetracker_basic_access function) to fix this...but on the site I work with this is currently problematic, as a user can't view his cases and one of his roles has the permission. But maybe that's an isolated case, hence here's the code to add:

 if ($op == 'view') {
    return user_access('access casetracker');
  } 

Not sure on the block part, but probably a check of a similar nature...

Cheers,
Kevin

For us newbies, would you please indicate which file(s) this should go into? I am not sure which files make up the casetracker_basic.module and associated blocks.

Squideshi

Anyone know the answer to this question?

@kjeffcoat: Your patch in post #5 actually works, except for a minor typo. The permission is actually 'access case tracker' instead of 'access casetracker' (note the white space)

Bumping this to critical. IMO, any access control problem is critical.

@squideshi: Under your casetracker/ directory, there is a casetracker_basic.module file. Toward the end, there is a function:

function casetracker_basic_case_access($op, $node) {
  global $user;

Insert the following lines below global $user:

  if ($op == 'view') {
    return user_access('access case tracker');
  }

Merging the patch

Released see: #191510

This marked fixed, but where is the last and most correct patch file?

Thank you dami. This worked for me.

It is in the latest release (5.x-1.2-beta2)

Access to anonymous users is indeed denied, however Drupal still searches through the content and displays it to anon users. I just re-indexed my site after applying this patch and it still shows through the search function.

is there anybody who knows how to prevent search showing found nodes who are not accessible by the user?

http://drupal.org/project/search_config could be a solution if no search within cases is needed...

My problem is that when a anonymous user is on the project site he sees the link "add Case" and "view all project cases" even he has no rights to add or view them. If the user would then click on the link he THEN gets the message that he has not the right to access that page.

Is this behaviour intended? I would find it nicer if the link is not shown if a user has not the rights.

Any suggestions how I can remove the links?

Thanks,
Milad

There is some confusion about the 'access case tracker' permission - it does not control access to any nodes, that kind of access is handled by node access modules, like OG. What the permission does is simply provide protection to the casetracker functionality.

Regarding the issue in #17, I'd like to fix that, though it's a bit off topic for this particular thread. ...but I'll see about fixing it for D6

I'm setting this back to 'closed'.