Drupal is allowing viewing of unpublished content

Question

I inherited a Druapl5 site and it's showing content when published is not checked in the Publishing Options section of the Edit Content Form.

I confirmed that the status is 0 in the DB for the node. So it should be not visible.

My first guess was that I was logged in and that's why I could see it, but I logged out and I could still see it. I tried a different browser and the same thing so it's not that.

Also, the unpublished nodes are coming up in the search results which I originally thought was an out of date search cache, but may be something different.

Ever seen anything like this? Any ideas?

Are you viewing the nodes directly or how can you see them? – googletorp Oct 24 '09 at 06:00 — googletorp, Oct 24 '09 at 06:00

Henrik Opel · Accepted Answer · 2009-10-26T14:30:29.440

You mentioned in a comment that Content Access is installed on the site. This module (as well as several others, e.g. ACL) overrides the default Drupal node access mechanism in order to provide additional/more fine grained permission settings.

So my guess is that the permission configurations in that Module are configured wrong for your desired results. As far as I recall, it allows separate permission sets per content type (defined for authors and roles). You should look at your content type edit/definition pages - there should be a tab added by that module to configure the permissions. Also check the readme.txt of the module, as it might give some additional hints.

If that does not help, you should check if other node access modules are installed as well. As mentioned, there are quite a few of them, and their interactions are not easy to determine (One should aim to use only one, if possible).

just for the record... this also happened to me and ended up being because I had 2 modules that controlled the published status: [Moder8](http://drupal.org/project/modr8) and [LM Paypal](http://drupal.org/project/lm_paypal). Nodes were being approved with Moder8 and thus _published_ but LM Paypal was still saying they were unpublished when in fact they were, so nodes were getting published without paying. — Naoise Golden, Jun 13 '11 at 23:09

score 2 · Answer 2 · answered Oct 23 '09 at 20:09

2

Are you using Views? If so, make sure you have a filter set to show Published only.

I ran in to a similar problem with comments, which lead to some excellent spamming opportunities until I discovered it.

answered Oct 23 '09 at 20:09

MattBelanger

5,280
6
37
34

What's weird is that I can go to the actual page that is unpublished as well. – easement Oct 23 '09 at 20:32
In our setting there is a search-view, but there is no published-filter available for it. – Andy May 20 '15 at 16:53

score 1 · Answer 3 · answered Oct 23 '09 at 19:26

1

Rather strange. No answers, only guesses:

Try accessing admin/content/node-settings and click on Rebuild permissions.

And maybe clear the cache admin/settings/performance

answered Oct 23 '09 at 19:26

score 1 · Answer 4 · answered Oct 23 '09 at 20:05

1

Check your permissions for anonymous users. Seems like somewhere they have the wrong permisions.

answered Oct 23 '09 at 20:05

googletorp

33,075
15
67
82

As far as permissions, the only one for anonymous user that is checked in the node module is access content. – easement Oct 23 '09 at 20:42
There is also a module called Content Access, but it only provides access and not edit. Any other ideas? – easement Oct 23 '09 at 21:02

score 0 · Answer 5 · answered Oct 24 '09 at 18:08

All access modules override the default settings while using hook_node_access(). Most likely this is the problem. So you need to tweak those settings in the content access portion.

And this is not the best solution. But if you need something in the interim you can always put this code in the node.tpl.php file:

if(!$node->status && $user->uid != 1){

with code added:

<div id="node-<?php print $node->nid; ?>" class="node<?php if ($sticky) { print ' sticky'; } ?><?php if (!$status) { print ' node-unpublished'; } ?> clear-block">

<?php print $picture ?>
<?php

if(!$node->status && $user->uid != 1){

?>
<?php if ($page == 0): ?>
  <h2><a href="<?php print $node_url ?>" title="<?php print $title ?>"><?php print $title ?></a></h2>
<?php endif; ?>

  <div class="meta">
  <?php if ($submitted): ?>
    <span class="submitted"><?php print $submitted ?></span>
  <?php endif; ?>

  <?php if ($terms): ?>
    <span class="terms"><?php print $terms ?></span>
  <?php endif;?>
  </div>

  <div class="content">
    <?php print $content ?>
  </div>

<?php
  if ($links) {
    print $links;
  }
}//if for published node
?>

</div>

This is supposed to be an interim solution. As stated in my post. If you wanted to turn this into a usable, long term solution you would change && $user->uid ==1 to allow for any user that is allowed to administer nodes. — lilott8, Oct 26 '09 at 16:10

Drupal is allowing viewing of unpublished content

5 Answers5