Piggybacking on yesterday's discussion of node permissions, we noticed last week that because of how monster_menus_menu_alter() works, access callbacks for node paths don't always end up running through mm_content_user_can_node() or an equivalent. Most of the time they do (thanks in part to MM's hook_node_access() implementation), but some poorly written 3rd-party modules don't use node_access() like they ought, so they slip through the cracks. For example, Feeds and Panels expose node/%/foo/bar paths, which MM copies (with their original access callbacks) into mm/%/node/%/foo/bar. Those new paths (e.g. mm/7/node/9999/import) may allow access even if the user does not have access to view the page or node itself. I singled out Feeds and Panels, but I'm sure there are other such modules.
In response, we've added https://github.com/jaydansand/mm_tweaks/tree/master/mm_ensure_node_access_check to mm_tweaks. This module implements hook_mm_menu_alter() to find node/% paths and guarantee that (in addition to their original access callback) all of them at least have MM_PERMS_READ checked (though the actual permission required for a given path can be changed by implementing hook_mm_ensure_node_access_check_perm_alter()).
Just an FYI in case anyone has run into similar problems with 3rd-party modules and wants a quick fix.
Jay Dansand '08
Senior Web Application Developer
Technology Services, Seeley G. Mudd Library