CentralAveDance Group Access Permissions

Assigned to:somebody
Created:somebody at Mon, 12/31/2007 - 3:28pm
Status:Open (General Task / Priority 1-High)
Case ID:Drupal Module Issues and Modifications: 92-323
Last modified:Tue, 01/22/2008 - 9:35pm

I created a new group, USADance-LA, and posted to it an event and agenda item. These nodes were NOT marked "Public", however, anonymous users could access them.

Posted issue here: http://drupal.org/node/204597

I know that if a node belongs to a group, but has taxonomy that matches a user, the user will be given access. In the case of the node posted to the USADance-LA group, First Board Meeting , nothing was selected in the "Categories" boxes, so the permissions should have defaulted to the Group realm, which only allowed "og_subscriber" to access the node. However, as noted before, ALL users could access the node.

So, I decided to look at the node_access table. I found this for the node in question, 3648:

CentralAveDance Permissions Problem

According to this previous issue, the gid represents the rid when the realm is term_access. So, my immediate question was "What is giving causing node to give the grant_view permission to roles 0 (which is non-existent) and 1 (anonymous user)?

I then looked at the term_access table:

CentralAveDance Permissions Problem

Apparently, rids 0 and 1 were being granted permissions on group nodes as a result of the first two lines of this query. I noted that I do not have a tid (term ID) = 0. So, this either represents something other than an actual term, or it's a mistake.

I decided to delete these two rows from the term_access table. After deleting them, I ran the "Rebuild Permissions" tool here:

That got rid of the rows in the node_access table, and the node itself is no longer publically available.

I have Taxonomy Access Control installed. I have had this site for some time, and have moved it (exported/imported data) at least once. My guess is that somewhere along the process, these grants were somehow added to term_access. My guess is that I probably should remove all non-existent tids from the term_access table, but I'm not sure. Will have to post this question on the TAC board.

Update (2007-01-12):

After I updated to Drupal 5.6, I noticed that I now have the same problem again. When I query the term_access table:

select * from term_access where tid = 0

I still see:

tid rid grant_view grant_update grant_delete grant_create grant_list
0 0 1 0 0 1 1
0 1 1 0 0 1 1
0 2 1 0 0 0 0
0 3 0 0 0 0 0
0 4 0 0 0 0 0
0 5 0 0 0 0 0
0 6 1 0 0 0 0
0 7 1 0 0 1 1
0 8 1 0 0 1 1

So, I'm entering:

delete from term_access where tid = 0 and rid = 1

And rebuilt node permissions: http://www.centralavedance.com/admin/content/node-settings/rebuild

That did it.

Nope. Now, authenticated users who are NOT a member of the group can still see Group content. That isn't good either. Think I need to delete the rid = 2 also:

delete from term_access where tid = 0 and rid = 2

Rebuilt node permissions in Post Settings .

Logged in as "usadancela" which is awaiting subscription approval in USA Dance LA group. Can NOT see the non-public group posts.

Approved "usadancela" for USA Dance LA group. As "usadancela", I can now see group content. Excellent!

Question: What keeps putting in those tid = 0 and rid = 1 & 2 term_access records?