Hi all,
my problem is that as standard user I can access unpublished nodes because of flexiaccess node view permission.
My environment:
- fresh Drupal 7.55 standard installation
- installed modules devel_generate, flexiaccess 7.x-1.x-dev (2015-Feb-22), acl 7.x-1.x-dev (2015-Nov-10)
- created "test" user with limited permissions
I enabled Flexi Access for content type = Basic page. With devel_generate I created few tested pages. I edit one node, set is as unpublished. I edit this node again, set view permission for test user - warning message:
Warning: Your content is not published. These settings are not taken into account until the content becomes published.
was displayed, saved.
But as this "test" user I can still access this unpublished page.
I don't understand from where it should come that for standard user this flexi access / acl settings should not be applied. In the core node.module, function node_access(..), i do not see anywhere condition "..if node is unpublished then do not take in account ACL .."
Is this bug, or expected behavior? Then, how can I hide unpublished pages?
Thanks
Comments
Comment #2
gisleFormatting.
Comment #3
gisleThank you for reporting this.
The behavior follows from how the ACL module handles this (the relevant function is
acl_node_grants()) inacl.module. To change this behavior, changes must be made in ACL.However, the current behavior of ACL is consistent with Drupal access rules, which state that access will be granted as soon as at least one of the modules grants it.
Also note that Admins may want to use Flexi access to grant users access to unpublished nodes (so they can work on the node prior to publication), so the behavior you've observed is not a bug, but I agree that this is "not expected" given the message that you quote:
This is false. To reflect the module's behavior, the message should be:
Comment #5
gisleHas committed new string to describe expected behavior to 7.x-1.x-dev.