Steps to reproduce:
- Create a node tagged with a term from vocabulary_a.
- Install TAC and rebuild permissions.
- Configure the anonymous user as follows at
admin/user/taxonomy_access/edit/1
:
Global default
View: A
Update: D
Delete: D
Create: No
List: Novocabulary_a default
View: A
Update: D
Delete: D
Create: No
List: No - Rebuild access permissions again (because of #727648: Node access not updated on default change).
- Visit the node when logged out. It should be accessible.
- Rebuild access permissions again (because of #727648: Node access not updated on default change).
- Visit the node as the anonymous user. It is still accessible.
Now, change the vocabulary_a default as follows:
vocabulary_a default
View: D
Update: D
Delete: D
Create: No
List: No
I tested all the possible combinations, rebuilding after each change, with the following results:
Global default / vocabulary_a default: Node accessible?
Allow/Allow: yes
Allow/Ignore: yes
Allow/Deny: yes
Ignore/Allow: no
Ignore/Ignore: no
Ignore/Deny: no
Deny/Allow: no
Deny/Ignore: no
Deny/Deny: no
In all cases, the global default behavior is followed regardless of how the vocabulary default is set. This is not the expected behavior.
Comments
Comment #1
xjmWhat's worse is that it appears that there is the same problem between vocabulary defaults and individual term grants. E.g., with the global default set to allow, the vocabulary default set to either allow or ignore, and the term set to deny, the node is still accessible. It only works properly if the vocabulary default is deleted from the role configuration entirely.
Comment #2
xjmMarked #292312: default rule does not show up in node_access as duplicate of this issue. See in particular http://drupal.org/node/292312#comment-1167374.
Comment #3
xjm#687614: core permissions overrules TAC ? is a duplicate of this issue.
Comment #4
xjmPart of #165848: TAC permissions overriden by core? is also duplicate.
Comment #5
xjmI'm now unable to reproduce this bug with either 6.x-1.0 or 6.x-1.x-dev, even after completely uninstalling/reinstalling and rebuilding permissions. I'm not sure what is different between the test site I used when I reported this issue and the current one, but I'll postpone this until I can reproduce the issue reliably.
My current test site (where I cannot reproduce the bug) is OS 10.6 with PHP 5.2.13, MySQL 5.1.44_0 (mysqli driver), Drupal 6.16. Enabled modules include:
administration menu
all base cck modules
color
comment
database logging
help
menu
syslog
update status
upload
schema
coder
all devel modules except theme developer
import/export api
shared email
tac
token & token actions
views & views ui
Please post as much detail as you can if you encounter this issue, including steps to reproduce and your version of Drupal core.
Comment #6
xjmAlright, the test site that has this problem:
PHP 5.2.11
MySQL 5.1.35
OS 10.5
core 6.12
enabled modules:
admin menu
base CCK
custom formatters
case tracker
color
comment
database logging
help
menu
profile
taxonomy
schema
date
date popup
coder
devel, generate, nodeaccess
advanced help
automatic nodetitles
shared email
tac (latest dev build)
lineage
token
taxonomy batch operations
views exporter
views UI
I will try updating all these modules to their latest versions and updating core on the test site to see if that resolves the issue.
Comment #7
xjmUpgrading the site in #6 to the latest dev build of the module now resolves the issue, so I'm assuming it was fixed by another patch.
Comment #8
xjmI am encountering this issue again on a site with 6.x-1.2 with core 6.17. The global default seems to be overriding any grants, not just the vocabulary defaults. Written grants for a role are always consistent with the global default, including (this is the bad part) Ignore overriding Allow from specific terms. Obviously, this is a critical bug. Unfortunately, I cannot reproduce it on all sites.
Devel node access shows TAC writing zero-grant rows for nodes in a role where the Global default is I/I/I, regardless of whether more permissive terms are available
Comment #9
xjm#8 was a problem with Content Taxonomy not updating node tags properly after a content import... so not actually a problem with TAC at all. It's working correctly once the nodes are actually tagged.
Comment #10
xjmThe patch available in #881210: No list or create permissions on any terms may result in incorrect use of default on save should resolve any remaining problems like this. If you still encounter this bug or anything like it, please test the patch from that issue with the latest dev build of TAC. Direct link to patch:
http://drupal.org/files/issues/tac_881210-9.patch