Users can read all articles, when not any group

[bigbear]

Hi all,

I think i found a bug.

I write a private blog and all readers must be logged in to read. I use the groups and user management to manage user reading-rights. So certain entries can only be read by certain people.

When i tried to deactivate my blog for moving it from one server to another, i removed all users from all groups, to ensure that no one can read any entry.

But suddenly all users could read all entries.

I created a dummy-group, added all users and the entries were hidden.

During deactivating, i found out that at least one user has to be in a group in order to save the changes made to the group.

[garvinhicking]

Hi!

That's a very interesting way to prepare a move ))

(It would be much much better to edit your .htaccess file to prevent access from anyone but you)

To answer your question properly, though: When a user is removed from ALL authorgroups, a failsafe mechanism of s9y takes effect and applies the user permissions based on the userlevel attribute. In your case that might have been an "editor" privilege, and that would grant access to all articles.

Hope that clears things for you

Regards,
Garvin