Drupal: Taxonomy & Security

2
votes

I have an intranet on the Drupal platform. I am using permission to restrict access to certain node types that have sensitive information in them. This is all working nicely.

However, some of theses sensitive nodes use taxonomy as a method of categorization. The problem is, I have found certain paths, apparently created by the taxonomy module itself, that show teasers of these sensitive nodes, even to unauthenticated users.

for example: mysite.com/category/traintype/site

Shows the companies training appointments where the training type is onsite. These nodes are set so that they should not be accessible to users of a certain roles, and certainly not to unauthenticated users.

I have looked through Views on the site, and I don't see any taxonomy views. So, how can I make these paths inaccessible?

2
securitydrupal
Some more info needed: What version of Drupal? What module is used for the access restriction? I sounds like Views module is installed - again, which version?Henrik Opel
Ditto this. Drupal core itself doesn't have content type access restrictions, so this is important information. Node access is comprehensive, so if these users actually didn't have access to these nodes, the teasers should not be displaying, so my guess is that they're not actually access restricted yet. You want to focus on getting the right access control in place, not merely hiding the display of or links to the content.stephthegeek

2 Answers

1
votes

Another method is to alter node.tpl.php to strip the teaser if the user does not have access.

0
votes

You can use hook_menu() or hook_menu_alter() in a custom module to overwrite the default menu item that is created by the taxonomy module. Here you can add your own extra permission check or remove it altogether.