Activating the base module (Taxonomy Tools module, none of the other ones included were needed to reproduce) and rebuilding the permissions causes all unpublished nodes (incl. basic pages etc) to be visible to anonymous users.

Deactivating the module immediately reverses this behavior.

Reproduce:

- Drupal 7.23
- To be sure about conflicts I deactivated nearly all other non-core modules (and all unnecessary core modules). Currently activated other modules: Chaos Tools, Entity Reference, Entity API
- All anonymous permissions unchanged. Only access to published content.
- Create a basic page, mark it as unpublished
- View the node as anonymous. Should be "Access denied"
- Activate the Taxonomy Tools Module and rebuild permissions, clear the cache
- Reload page as anonymous -> visible (here, at least)
- Disable the suspicious module
- Reload -> "Access denied"

Comments

wickwood’s picture

wickwood CreditAttribution: wickwood commented

I just discovered this too! Super Critical Bug!!!

Too bad looked like it could have been useful.

inventlogic’s picture

inventlogic CreditAttribution: inventlogic commented
Title: Module activation publishes (all?) unpublished nodes » unpublished nodes accessable by anonymous users - Module activation publishes (all?)
Issue summary: View changes

Wasted two days tracking this down.

As above just enabling the Taxonomy Tools module gives anonymous users access to4npublished content.

This should be a priority for the developers.

balintcsaba’s picture

balintcsaba CreditAttribution: balintcsaba commented
Assigned: Unassigned » martins.bertins
martins.bertins’s picture

martins.bertins CreditAttribution: martins.bertins commented
Status: Active » Fixed

Fix committed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

anschinsan’s picture

anschinsan CreditAttribution: anschinsan commented
Status: Closed (fixed) » Active

Sorry to bring this up again - but as it is a really critical bug ...

The fix in http://cgit.drupalcode.org/taxonomy_tools/commit/?id=8d68e14 fixes the bug only, when taxonomy_tools is the only module which implements hook_node_grants, (I suppose) ... As we have a setup where another module uses this hook as well, anonymous users get access but it's because of the code of taxonomy_tools module.

As seen in the other module, I would suggest to make the return of function taxonomy_tools_node_grants dependent on a permission (fEx: user_access('taxonomy_tools_nodegrants') or whatever you want to call it). I would prefer any node_access functionality respect the settings as set up on the permissions page for any role, not only for anonymous users.

#####
Edit:

I have to correct my comment: Rebuilding node access table after an update works as well. Perhaps the module should give an output indicating the the version install requires an update. Status page doesn't.

martins.bertins’s picture

martins.bertins CreditAttribution: martins.bertins at Wunder commented
Assigned: martins.bertins » Unassigned
Status: Active » Closed (won't fix)