Currently the module doesn't respect user permissions at all. Some ideas:
1. The module should have a 'participate in user-to-user recommendation' permission, which excludes some users in the computation.
2. The module should check whether users have access to the content type using db_rewrite_sql().

Comments

jm.federico’s picture

jm.federico CreditAttribution: jm.federico commented
Version: 6.x-1.0-beta1 » 6.x-1.x-dev

There is a fix to check whether user has access to node or not.
Committed to dev branch.

danithaca’s picture

danithaca CreditAttribution: danithaca commented

awesome! D7 might have some nice API to do it too.

jm.federico’s picture

jm.federico CreditAttribution: jm.federico commented

I think I'll be pushing the dev to a stable version soon. The security check is worth it.

danithaca’s picture

danithaca CreditAttribution: danithaca commented

@jm.federico: great! thanks.

mrfelton’s picture

mrfelton CreditAttribution: mrfelton commented

Using this on D7, and only user 1 can see any recommendations.

danithaca’s picture

danithaca CreditAttribution: danithaca commented
Status: Active » Closed (fixed)

When I do the recommendation computation, I have to consider all items. Permission checking can happen when displaying the recommended items. This is already taken care of in the 6.x-2.0 release or the D7 release via Views support.

@mrfelton: I'm not sure why only 1 user can see recommendations. Perhaps you need many users before the system can generate recommendations.

Mark the status as "closed". Feel free to reopen it if people don't agree.