Ok, I have a page in a category that's denied to anonymous users. When I try to access it when I'm logged out, I get denied, so everything's working fine, but when I log back in and look at the tracker page for that page, I see that "Anonymous" appears in the tracker log.

For inexperienced users this can be seriously worrying, because it appears that potentially confidential information is open to the public.

Not sure if this is a TAC problem, or a core tracker problem, but tracker messages need to be marked as denied if they are.

Comments

xjm’s picture

xjm
she/her
Primary language English
commented
Category: bug » support

I'm not sure if I understand the issue in question. As far as I know, the tracker is a post tracking module, not a page visit tracking module. It shows nodes that each user has created, updated, or commented on, not pages that each user visits. There are tracker pages for each user, not each page.

The component of core that shows access logs is watchdog. If you enable the Database Logging module (in Drupal 6 anyway; you did not indicate what version you were using), visit your restricted page while logged out, and then go to admin/reports/dblog while logged in as an admin, you will see entries for each "access denied" message.

In any case, this is not a feature of TAC. TAC uses the core node access system, so any core messages or logging are being provided via node.module.

Edit: did you perchance generate content with devel? Devel creates some posts as anonymous, so if you're seeing entries by anonymous users marked "new" or "updated," that could be why. The same would be the case if an administrator changed the authoring information for the node to anonymous, or if the node was owned by the anonymous user for some other reason.

naught101’s picture

naught101 commented
Title: Denied users still appear in the tracker page. » Denied users still appear in the node/%node/track.
Project: Taxonomy Access Control » Drupal core
Version: master » 6.x-dev
Component: Code » statistics.module
Category: support » bug

Sorry, I mean the "statistics" module, not the tracker module. Confusing because the tracking page is at node/%node/track. I'm definitely talking about access stats, not editing.

I guess the statistics module writes the access data without checking whether the page was actually accessed (ie. just checks whether the URL was hit).

I'm not sure how TAC works, possibly this issue should be moved to core, especially since there are a bunch of access control modules, and they probably all have this problem.

I'm moving this to drupal-6.x-dev, because that's what I'm using, but I guess it's probably not going to be fixed until 7 or 8 now...

Status: Active » Closed (outdated)

Automatically closed because Drupal 6 is no longer supported. If the issue verifiably applies to later versions, please reopen with details and update the version.