Hi all,
my problem is that as standard user I can access unpublished nodes because of flexiaccess node view permission.
My environment:

  • fresh Drupal 7.55 standard installation
  • installed modules devel_generate, flexiaccess 7.x-1.x-dev (2015-Feb-22), acl 7.x-1.x-dev (2015-Nov-10)
  • created "test" user with limited permissions

I enabled Flexi Access for content type = Basic page. With devel_generate I created few tested pages. I edit one node, set is as unpublished. I edit this node again, set view permission for test user - warning message:
Warning: Your content is not published. These settings are not taken into account until the content becomes published.
was displayed, saved.
But as this "test" user I can still access this unpublished page.

I don't understand from where it should come that for standard user this flexi access / acl settings should not be applied. In the core node.module, function node_access(..), i do not see anywhere condition "..if node is unpublished then do not take in account ACL .."

Is this bug, or expected behavior? Then, how can I hide unpublished pages?

Thanks

Comments

Bohus Ulrych created an issue. See original summary.

gisle’s picture

Issue summary: View changes

Formatting.

gisle’s picture

Assigned: Unassigned » gisle

Thank you for reporting this.

The behavior follows from how the ACL module handles this (the relevant function is acl_node_grants()) in acl.module. To change this behavior, changes must be made in ACL.

However, the current behavior of ACL is consistent with Drupal access rules, which state that access will be granted as soon as at least one of the modules grants it.

Also note that Admins may want to use Flexi access to grant users access to unpublished nodes (so they can work on the node prior to publication), so the behavior you've observed is not a bug, but I agree that this is "not expected" given the message that you quote:

Warning: Your content is not published. These settings are not taken into account until the content becomes published.

This is false. To reflect the module's behavior, the message should be:

Warning: Your content is not published, but will be accessible by users that are given access through the nodes's ACL.

  • gisle committed 47fa9dd on 7.x-1.x
    Issue #2886076 by gisle: Fixed text giving wrong expectancy about...
gisle’s picture

Status: Active » Fixed

Has committed new string to describe expected behavior to 7.x-1.x-dev.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.