Enabling the Nodeaccess module causes non-public nodes to be shown when selecting nodes with EntityFieldQuery.
Here's how to reproduce (nodeaccess_bug_test module attached):
Install Drupal 7.12
drush en forum --yes
drush en ctools --yes
drush en views --yes
drush en advanced_forum --yes
drush en acl --yes
drush en chain_menu_access --yes
drush en forum_access --yes
drush en devel --yes
drush en devel_node_access --yes
drush en nodeaccess_bug_test --yes
drush cc all
Rebuild permissions
Create forum called "Restricted" and set it not viewable by anon users.
Create a published article
Create non-published article
Create General forum discussion node
Create Restricted forum discussion node
Assign forum_access_bug_test blocks to a region
drush cc all, just in case
Now, viewing a page with the admin user shows four nodes, as it should.
Viewing a page with an anonymous user shows two nodes, as it should.
drush en nodeaccess --yes
Rebuild permissions
Now, viewing a page with an anonymous user shows all four nodes. Access control
restrictions don't seem to apply anymore when using EFQ. Also, viewing the
unpublished article node at node/NID shows the node even though it's not
published. Viewing the forum node gives a 403 as it should.
I'm also getting this error: "Notice: Undefined index: article in nodeaccess_access() (line 91 of /Users/ErnoKaikkonen/Sites/d7_forum_access/sites/all/modules/nodeaccess/nodeaccess.module)."
Checking "Give node grants priority" makes no difference.
Here's the EFQ used in the test module:
// $bundle is set to "article" or "forum"
$efq = new EntityFieldQuery;
$efq->entityCondition('entity_type', 'node', '=');
$efq->entityCondition('bundle', $bundle, '=');
$efq->propertyOrderBy('created', 'DESC');
$efq->addTag('node_access');
$efq->range(0, 10);
$nodes = $efq->execute();
Comment | File | Size | Author |
---|---|---|---|
nodeaccess_bug_test.tgz | 858 bytes | firebird |
Comments
Comment #1
bkosborneHmmm at first I thought this was perhaps because hook_node_access_records and hook_node_grants are not being used (which I thought were required to propery work with the node_access table), but I see that this module is manually manipulating the node_access table. Need to look at this more...
Comment #2
vlad.pavlovic CreditAttribution: vlad.pavlovic commentedPlease let me know what you find.
Comment #3
vlad.pavlovic CreditAttribution: vlad.pavlovic commentedPlease try patch from #2228713: unpublished nodes are visible. I think that it may solve the problem.
Comment #4
joelpittetThis is old and no response in quite some time, closing to triage. Re-open if there are more details.