From 11e18568f951cb431b0e0e6514767f2516e0d75b Mon Sep 17 00:00:00 2001 From: David Rothstein Date: Mon, 1 Feb 2016 19:06:41 -0500 Subject: Issue #1559506 by finnydobson, JuliaKM, snehi, anil280988, priya.chat, laranajim, jhodgdon, alexpott: Query alter docs need some clarification --- modules/node/node.module | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/node/node.module b/modules/node/node.module index af0e3860d..1d88834cd 100644 --- a/modules/node/node.module +++ b/modules/node/node.module @@ -2953,7 +2953,10 @@ function node_search_validate($form, &$form_state) { * system. When adding a node listing to your module, be sure to use a dynamic * query created by db_select() and add a tag of "node_access". This will allow * modules dealing with node access to ensure only nodes to which the user has - * access are retrieved, through the use of hook_query_TAG_alter(). + * access are retrieved, through the use of hook_query_TAG_alter(). Tagging a + * query with "node_access" does not check the published/unpublished status of + * nodes, so the base query is responsible for ensuring that unpublished nodes + * are not displayed to inappropriate users. * * Note: Even a single module returning NODE_ACCESS_DENY from hook_node_access() * will block access to the node. Therefore, implementers should take care to -- cgit v1.2.3