Drupal is allowing viewing of unpublished content

Question

I inherited a Druapl5 site and it's showing content when published is not checked in the Publishing Options section of the Edit Content Form.

I confirmed that the status is 0 in the DB for the node. So it should be not visible.

My first guess was that I was logged in and that's why I could see it, but I logged out and I could still see it. I tried a different browser and the same thing so it's not that.

Also, the unpublished nodes are coming up in the search results which I originally thought was an out of date search cache, but may be something different.

Ever seen anything like this? Any ideas?

Answer 1

Rather strange. No answers, only guesses:

Try accessing admin/content/node-settings and click on Rebuild permissions.

And maybe clear the cache admin/settings/performance

Answer 2

Check your permissions for anonymous users. Seems like somewhere they have the wrong permisions.

Answer 3

Are you using Views? If so, make sure you have a filter set to show Published only.

I ran in to a similar problem with comments, which lead to some excellent spamming opportunities until I discovered it.

Answer 4

You mentioned in a comment that Content Access is installed on the site. This module (as well as several others, e.g. ACL) overrides the default Drupal node access mechanism in order to provide additional/more fine grained permission settings.

So my guess is that the permission configurations in that Module are configured wrong for your desired results. As far as I recall, it allows separate permission sets per content type (defined for authors and roles). You should look at your content type edit/definition pages - there should be a tab added by that module to configure the permissions. Also check the readme.txt of the module, as it might give some additional hints.

If that does not help, you should check if other node access modules are installed as well. As mentioned, there are quite a few of them, and their interactions are not easy to determine (One should aim to use only one, if possible).

Answer 5

All access modules override the default settings while using hook_node_access(). Most likely this is the problem. So you need to tweak those settings in the content access portion.

And this is not the best solution. But if you need something in the interim you can always put this code in the node.tpl.php file:

if(!$node->status && $user->uid != 1){

with code added:

<div id="node-<?php print $node->nid; ?>" class="node<?php if ($sticky) { print ' sticky'; } ?><?php if (!$status) { print ' node-unpublished'; } ?> clear-block">

<?php print $picture ?>
<?php

if(!$node->status && $user->uid != 1){

?>
<?php if ($page == 0): ?>
  <h2><a href="<?php print $node_url ?>" title="<?php print $title ?>"><?php print $title ?></a></h2>
<?php endif; ?>

  <div class="meta">
  <?php if ($submitted): ?>
    <span class="submitted"><?php print $submitted ?></span>
  <?php endif; ?>

  <?php if ($terms): ?>
    <span class="terms"><?php print $terms ?></span>
  <?php endif;?>
  </div>

  <div class="content">
    <?php print $content ?>
  </div>

<?php
  if ($links) {
    print $links;
  }
}//if for published node
?>

</div>