Group Access Permissions

Assigned to:somebody
Created:somebody at Tue, 01/01/2008 - 1:26pm
Status:Open (General Task / Priority 1-High)
Case ID:Public Display: 209-326

I created a new group, USADance-LA, and posted to it an event and agenda item. These nodes were NOT marked "Public", however, anonymous users could access them.

Posted issue here:

I know that if a node belongs to a group, but has taxonomy that matches a user, the user will be given access. In the case of the node posted to the USADance-LA group, First Board Meeting , nothing was selected in the "Categories" boxes, so the permissions should have defaulted to the Group realm, which only allowed "og_subscriber" to access the node. However, as noted before, ALL users could access the node.

So, I decided to look at the node_access table. I found this for the node in question, 3648:

CentralAveDance Permissions Problem

According to this previous issue, the gid represents the rid when the realm is term_access. So, my immediate question was "What is giving causing node to give the grant_view permission to roles 0 (which is non-existent) and 1 (anonymous user)?

I then looked at the term_access table:

CentralAveDance Permissions Problem

Apparently, rids 0 and 1 were being granted permissions on group nodes as a result of the first two lines of this query. I noted that I do not have a tid (term ID) = 0. So, this either represents something other than an actual term, or it's a mistake.

I decided to delete these two rows from the term_access table. After deleting them, I ran the "Rebuild Permissions" tool here:

That got rid of the rows in the node_access table, and the node itself is no longer publically available.

I have Taxonomy Access Control installed. I have had this site for some time, and have moved it (exported/imported data) at least once. My guess is that somewhere along the process, these grants were somehow added to term_access. My guess is that I probably should remove all non-existent tids from the term_access table, but I'm not sure. Will have to post this question on the TAC board.