For node-level permissions to work and to be secure, you must wrap most SQL queries that join the node table in a call to node_rewrite_sql(). See http://drupal.org/node/12347 for details. Note that the lists below probably contain false-positives! Nonetheless, it is recommended that you double-check your modules based on the information below. 1. The following modules still use node_access_join() and node_access_where_sql(), the old DRUPAL-4-5 access check mechanism, and need to be updated to HEAD: ./modules/buddylist/buddylist.module ./modules/ecommerce/product/product.module ./modules/event/event.module ./modules/import_export/import_export.module ./modules/keyword_links/keyword_links.module ./modules/postcard/postcard.module ./modules/project/project.module ./modules/quotes/quotes.module ./modules/recipe/recipe.module ./modules/remindme/remindme.module ./modules/weblink/weblink.module ./sandbox/axel/akvaforum/akvaforum.module ./sandbox/ber/flexinode_blog/blog.module ./sandbox/nysus/newsfeed/newsfeed.module 2. The following modules query the node table but do not appear to use access checks. One or more of their queries against the node table do not use node_rewrite_sql() (HEAD), node_access_join() (DRUPAL-4-5) or node_access_where_sql() (DRUPAL-4-5). These modules might fail to work with node-level permissions which would be both insecure and confusing: ./modules/admnotify/admnotify.module ./modules/atom/atom.module ./modules/bookmarks/bookmarks.module ./modules/buddylist/buddylist.module ./modules/commentrss/commentrss.module ./modules/copyright/copyright.module ./modules/daily/daily.module ./modules/ecommerce/parcel/parcel.module ./modules/filestore/filestore.module ./modules/filestore2/filestore2.module ./modules/flexinode/flexinode.module ./modules/friendlist/friendlist.module ./modules/image/image.module ./modules/image_browse/image_browse.module ./modules/image_filter/image_filter.module ./modules/img_assist/img_assist.module ./modules/import_export/import_export.module ./modules/inactive_user/inactive_user.module ./modules/listhandler/listhandler.module ./modules/mail/mail.module ./modules/mail_archive/mail_archive.module ./modules/navigation/navigation.module ./modules/navtable/navtable.module ./modules/node_aggregator/feed.module ./modules/node_aggregator/item.module ./modules/node_privacy_byrole/node_privacy_byrole.module ./modules/og/og.module ./modules/periodical/periodical.module ./modules/popup/popup.module ./modules/postcount_rank/postcount_rank.module ./modules/project/project.module ./modules/quotes/quotes.module ./modules/review/review.module ./modules/scheduler/scheduler.module ./modules/series/series.module ./modules/sidebar/sidebar.module ./modules/spam/spam.module ./modules/subscriptions/subscriptions.module ./modules/syndication/syndication.module ./modules/taxnav/taxnav.module ./modules/taxonomy_access/taxonomy_access.module ./modules/taxonomy_block/taxonomy_block.module ./modules/taxonomy_dhtml/taxonomy_dhtml.module ./modules/textile/textile.module ./modules/title/title.module ./modules/translation/translation.module ./modules/userposts/userposts.module ./modules/volunteer/volunteer.module ./modules/wiki/wiki.module ./sandbox/adrian/modules/weblink.module ./sandbox/ber/flexinode_blog/blog.module ./sandbox/ber/multilingual/multilingual.module ./sandbox/ber/nodeadmin/node.module ./sandbox/ber/related/related.module ./sandbox/geek/activity/activity.module ./sandbox/gordon/image/image.module ./sandbox/jareyero/image/image.module ./sandbox/jareyero/image/imagegallery.module ./sandbox/jseng/drupal4blog/modules/archive.module ./sandbox/jseng/drupal4blog/modules/atom.module ./sandbox/jseng/drupal4blog/modules/blog.module ./sandbox/jseng/drupal4blog/modules/blogapi.module ./sandbox/jseng/drupal4blog/modules/book.module ./sandbox/jseng/drupal4blog/modules/comment.module ./sandbox/jseng/drupal4blog/modules/forum.module ./sandbox/jseng/drupal4blog/modules/node.module ./sandbox/jseng/drupal4blog/modules/page.module ./sandbox/jseng/drupal4blog/modules/ping.module ./sandbox/jseng/drupal4blog/modules/poll.module ./sandbox/jseng/drupal4blog/modules/queue.module ./sandbox/jseng/drupal4blog/modules/statistics.module ./sandbox/jseng/drupal4blog/modules/subscriptions.module ./sandbox/jseng/drupal4blog/modules/taxonomy.module ./sandbox/jseng/drupal4blog/modules/title.module ./sandbox/junyor/comment.module ./sandbox/junyor/notify/notify.module ./sandbox/killes/catalog/catalog.module ./sandbox/killes/event.module ./sandbox/killes/flexinode.module ./sandbox/killes/speed-drupal/modules/statistics/statistics.module ./sandbox/marco/fileapi/filestore.module ./sandbox/marco/fileapi/pgallery.module ./sandbox/mathias/modules/breadcrumb/breadcrumb.module ./sandbox/mathias/modules/indexof/indexof.module ./sandbox/nedjo/modules/mapbuilder/mapbuilder.module ./sandbox/pablobm/modules/comment.module ./sandbox/stefan/image/image.module ./sandbox/stefan/image/imagegallery.module ./sandbox/tapio/todos/todos.module 3. The following contributed modules have been updated to use node_rewrite_sql(): <empty list> 4. I found several violations in core as well. Several queries in core need to be reviewed and updated. -- Dries Buytaert :: http://www.buytaert.net/