Issue status update for http://drupal.org/node/30098 Post a follow up: http://drupal.org/project/comments/add/30098 Project: Drupal Version: cvs Component: node system Category: bug reports Priority: normal Assigned to: Anonymous Reported by: killes@www.drop.org Updated by: killes@www.drop.org Status: patch (code needs review) Attachment: http://drupal.org/files/issues/node_rev_0.patch (7.69 KB) Ok, here is a patch which implements edit and view permissions per node type. "admin nodes" is still valid as well. Needs testing. killes@www.drop.org Previous comments: ------------------------------------------------------------------------ Wed, 31 Aug 2005 13:36:19 +0000 : killes@www.drop.org Attachment: http://drupal.org/files/issues/node_rev.patch (1.27 KB) With or without the revisions patch, every user who can access content can access old revisions. I think this is a bug because why would you need to see old revisions if you cannot change them or make them the current revision? The attached patch fixes this and lets only users with "administer nodes" permission see old revs as you need this permission to change revisiosn to be the current one. One might make a case for introducing new "view revisions" and "set revisions" perms. You woud need those if you wanted to mimic a wiki with Drupal. ------------------------------------------------------------------------ Wed, 31 Aug 2005 13:55:14 +0000 : jakeg +1 I would also like to see the extra permissions added if possible: 'view node revisions' - just for viewing node revisions 'administer node revisions' - to delete node revisions or set them as default revision (i.e. current revision) for a node I think this patch is important because e.g. if a revision is made because sensitive information was included in a past revision, such as a phone number, plain text email address (someone stupid didn't know about spammers or the contact form) then these should definitely NOT be accessible, and it would often be desirable to create a new revision to a node rather than to edit the current copy without creating a revision. ------------------------------------------------------------------------ Wed, 31 Aug 2005 13:55:28 +0000 : Morbus Iff I disagree. I see revisions as a means of updating a document for the users. If a user has read the document, then sees that a revision has been made, I'd want to provide him with some sort of diff that shows him exactly what, as opposed to making him read the whole blasted thing over and over again. In essence, I want a a wiki diff between revisions (for example) [1]. Putting this permission in place would restrict my ability to do that. [1] http://gamegrene.com/wiki/?title=WhereIsWhere&curid=927&diff=0&oldid=0&rcid=... ------------------------------------------------------------------------ Wed, 31 Aug 2005 13:57:15 +0000 : Morbus Iff Note to self: actually read the whole report before commenting. -1 to JUST this patch. +1 to view/set revisions. ------------------------------------------------------------------------ Wed, 31 Aug 2005 13:59:13 +0000 : jakeg good point #2 morbis, but the revisions tab isn't accessible to normal users anyway... they only get to see the revisions if they know the URL to get there (?revision=x in 4.6; /revisions/x in head) but i agree that its definitely better with the extra permissions ------------------------------------------------------------------------ Thu, 01 Sep 2005 19:39:54 +0000 : robertDouglass Please don't lump it in with administer nodes, please make a new permission. ------------------------------------------------------------------------ Thu, 01 Sep 2005 21:02:15 +0000 : Boris Mann Yes, please make this a separate permission. In actuality, the use cases for viewing revisions probably needs a permission *per node type*. E.g. a site uses "story" for front page content. Editors some times revise stories, but don't want those revisions public. The same site uses book pages like a wiki. It gives all users create/edit/maintain book privileges, and additionally wants them to be able to see revisions. So, if we don't enable viewing revisions for node type, I would hope for a way to override this at the node type/module level -- so a custom wiki.module could automatically add a "view revisions" permission. ------------------------------------------------------------------------ Thu, 01 Sep 2005 23:55:46 +0000 : killes@www.drop.org Boris, what you propose makes sense to me. I am however waiting for feedback from Dries before I re-roll this patch. if we introduce this new permissions, maybe we should factor the revisions out into their own module? ------------------------------------------------------------------------ Fri, 02 Sep 2005 01:37:34 +0000 : Boris Mann Revisions as a separate module might very well make more sense. Sites can choose to run with them enabled or not. Might make it easier to eventually do file versioning if we can hook into a module. ------------------------------------------------------------------------ Fri, 02 Sep 2005 05:46:30 +0000 : Dries +1 for the permission(s), -1 for moving the revisions to a new module at this point. ------------------------------------------------------------------------ Fri, 02 Sep 2005 13:08:21 +0000 : killes@www.drop.org Dries, thanks for the feedback. I will prepare such a patch. Thanks for saving my time, too. ;) Boris, we already do some sort of file revisions. A file that is attached to one revision can be deleted from another one, but will still be available with the original revision. Only if we delete a node completely, the file will actually deleted (or you delete it from every revision).