Disabling /node view and other hidden views in Drupal?

Question

Many long nights spent on my site, and now I've started doing all sorts of security checks and stumbled upon the following:

www.mysite.com/node

That shows the latest x nodes that a user has access to. I DON't want this view visible to users. And I certainly don't want any other views similar to this available. So, my questions are:

1. How do I disable this view?
2. Are there other hidden views that I'm not aware of that an anonymous user can use to access several nodes at once?

Answer 1

the "node" view is the default frontpage view. So it is usually the same tha appear on you're frontpage.

Answer 2

One relatively simple way to do this that works is to turn on the Path module under core and alias /node to something else like /node/1 or whatever ..

Not sure about other urls that get you things you don't wanna see... i would think this technique would work for any you come across

Answer 3

You want to use hook_menu_alter() in a custom module to reroute what happens when someone tries to load the page at /node. There are two approaches.

First, you could give an unequivocal access denied:

function custom_module_menu_alter(&$items) {
  $items['node']['access callback'] = FALSE;
}

Second, you could reroute the page to one of your choice:

function custom_module_menu_alter(&$items) {
  $items['node']['page callback'] = 'custom_module_new_page_content';
}
function custom_module_new_page_content() {
  return 'Go away!';
}

Other Listings

If you are worried about listings where users have access, the search results and tracker are the only other places that I can recall.

This comment provides the logic to unset whatever you want from the search results using a custom module.

Unfortunately the Tracker is not particularly customizable without direct hacks. Your best bet is to use one of the tracker replacements in contrib, or easier yet, modify the Tracker replacement that is packaged with the Views module.

EDIT: Clarification- you could also disable the Tracker module form the optional "core" modules. However, it is a very useful functionality so you might want to keep it around in some form.

Answer 4

As for disabling paths you found, I'd second Graysides suggestion of using hook_menu_alter to adjust the access callback.

As for other 'hidden' views, this depends a lot on the modules you use, as many modules add some default 'views' (in the sense of overview pages, not necessarily views module views). So instead of trying to find them indirectly here, I'd suggest to take a look at the menu_router table of your Drupal database. There you'll find all paths currently used by your instance (internal paths, not aliases, but all aliases map to an internal one).