Unpublish tab does not remove items from taxonomy_index table. This means that unauthorised users may view unpublished content via any taxonomy term page which correctly included that page when it was published.

I have set up a clean minimal test site and confirmed that this bug is not restricted to the mature site where I (or rather Google) first discovered it.

Comments

AaronBauman’s picture

The publish/unpublish action calls node_save(), which in turn calls taxonomy_delete_node_index() and taxonomy_build_node_index() that maintain this table.
So, in theory, this bug should not exist.

Any further information or patches would be welcome.

Simon Georges’s picture

Priority: Critical » Normal
Status: Active » Postponed (maintainer needs more info)
johnennew’s picture

Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

Closing old issue

johnennew’s picture

Issue summary: View changes

Revised for great clarity.