[drupal-devel] [bug] Statistic information about node reads is shown to unprivileged users

Robin Monks drupal-devel at drupal.org
Wed Aug 17 16:56:51 UTC 2005


Issue status update for 
http://drupal.org/node/22565
Post a follow up: 
http://drupal.org/project/comments/add/22565

 Project:      Drupal
 Version:      cvs
 Component:    statistics.module
 Category:     bug reports
 Priority:     normal
 Assigned to:  Robin Monks
 Reported by:  massabob
 Updated by:   Robin Monks
 Status:       patch (ready to be committed)
 Attachment:   http://drupal.org/files/issues/stat_counter_permission.HEAD.patch (3.04 KB)

New version of patch that renames the permission to "view node access
counter".


Tested on latest HEAD.  Ready to commit!


Robin




Robin Monks



Previous comments:
------------------------------------------------------------------------

Wed, 11 May 2005 07:51:40 +0000 : massabob

Information about '%count reads' in node's footer is shown to
unprivileged users. I suggest that function statistics_link in
statistics.module should be corrected in this way:


// Original


function statistics_link($type, $node = 0, $main = 0) {
  global $id;


  $links = array();


  if ($type != 'comment' && variable_get('statistics_display_counter',
0)) {
    $statistics = statistics_get($node->nid);
    if ($statistics) {
      $links[] = format_plural($statistics['totalcount'], '1 read',
'%count reads');
    }
  }
  return $links;
}


// Fixed


function statistics_link($type, $node = 0, $main = 0) {
  global $id;


  $links = array();


  if ($type != 'comment' && variable_get('statistics_display_counter',
0) && user_access('display statistics')) {
    $statistics = statistics_get($node->nid);
    if ($statistics) {
      $links[] = format_plural($statistics['totalcount'], '1 read',
'%count reads');
    }
  }
  return $links;
}


The only change is in "&& user_access('display statistics')" on line
98.




------------------------------------------------------------------------

Fri, 27 May 2005 01:44:25 +0000 : RobRoy

Should read user_access('access statistics') not user_access('display
statistics').




------------------------------------------------------------------------

Fri, 27 May 2005 11:19:36 +0000 : Robin Monks

Attachment: http://drupal.org/files/issues/user.access.stats.patch (730 bytes)

And here that is in patch form.


Robin




------------------------------------------------------------------------

Wed, 01 Jun 2005 04:09:16 +0000 : Steven

I'm not sure about this patch: often, read counts are shown directly on
the site. But if the permission for viewing the counts is the same as
the permission for accessing the administrator's detailed logs, then
you wouldn't give that to everyone.


There is already an option to choose whether counts are displayed.
Perhaps we could change that to "No" "For priviledged users" "For
everyone". In last case it acts like it is now, it the second case it
requires "access statistics" permission.


What do you think?




------------------------------------------------------------------------

Wed, 01 Jun 2005 14:13:54 +0000 : Robin Monks

Sounds good to me.  I'll try to code something up for this.


Robin




------------------------------------------------------------------------

Thu, 09 Jun 2005 13:55:49 +0000 : Robin Monks

Attachment: http://drupal.org/files/issues/authstats.patch (2.26 KB)

Here is the patch.  Uses a switch to choose between signed in users, all
users, users with permissions or noone.


Robin




------------------------------------------------------------------------

Thu, 09 Jun 2005 14:08:16 +0000 : Robin Monks

I tested this patch with various settings on my local install and it
worked fine.


Robin




------------------------------------------------------------------------

Thu, 09 Jun 2005 16:30:25 +0000 : Bèr Kessels

Is there a reason why you check for $user->uid?
Whaen someone has "access statistics" set to anonymous users, your
check for $user->uid will override taht settings. Not good IMO.



<?php
$group .= form_radios(t('Display counter values'),
'statistics_display_counter',
variable_get('statistics_display_counter', 0), array('1' => t('For all
users'), '2' => t('For authenticated users'), '3' => t('For priviledged
users'), '0' => t('Disabled')), t('Display how many times given content
has been viewed.'));
?>


is very inconsistent. please use *only* the permissions page to set
permissions, and do not create new permissions-alike settings in any
configuration pages. 


I would say a simple check for user_access('access statistics') will do
the trick




------------------------------------------------------------------------

Thu, 09 Jun 2005 16:32:53 +0000 : Bèr Kessels

sorry, i meant to say user_access('access statistics counter'), not
user_access('access statistics').


We already have "access statistics'" an additional "access statistics
counter" for showing users the counter should work


Ber




------------------------------------------------------------------------

Thu, 09 Jun 2005 16:49:48 +0000 : Robin Monks

Attachment: http://drupal.org/files/issues/statistics.module (23.1 KB)

OK, here is a patch to that end...


Robin




------------------------------------------------------------------------

Thu, 09 Jun 2005 17:00:50 +0000 : Robin Monks

Attachment: http://drupal.org/files/issues/authstats_0.patch (1 KB)

Um, let's just pretend I didn't just upload the entire stats module. 
OK?  OK!


Robin




------------------------------------------------------------------------

Thu, 09 Jun 2005 17:05:59 +0000 : Robin Monks

Attachment: http://drupal.org/files/issues/authstats_1.patch (1.06 KB)

Hotfix.


Robin




------------------------------------------------------------------------

Thu, 09 Jun 2005 17:11:23 +0000 : Robin Monks

Attachment: http://drupal.org/files/issues/authstats_2.patch (1.11 KB)

Hopefuly the final version.  Thanks to chx and berkes for pulling it
apart ;-)


Robin




------------------------------------------------------------------------

Thu, 09 Jun 2005 17:21:38 +0000 : Bèr Kessels

+1 for this patch. it adds functionality, but does not add clutter nor
any config options.




------------------------------------------------------------------------

Fri, 10 Jun 2005 02:39:06 +0000 : frjo

+1 I have implemented the patch authstats_2.patch on my site running
Drupal 4.6.1 and it works well.




------------------------------------------------------------------------

Fri, 01 Jul 2005 08:10:22 +0000 : mfb

+1




------------------------------------------------------------------------

Fri, 01 Jul 2005 12:03:56 +0000 : Jose A Reyero

+1
I tested the patch, works fine, and I'm always for "more options" ;-)




------------------------------------------------------------------------

Mon, 01 Aug 2005 21:17:48 +0000 : Junyor

+1.  Using this on my site now.




------------------------------------------------------------------------

Tue, 02 Aug 2005 21:53:15 +0000 : Robin Monks

Attachment: http://drupal.org/files/issues/node_counter_permission.patch (2.97 KB)

This patch revision removes the duplicate show counter option from the
settings.  


Thanks UnConeD!


Robin




------------------------------------------------------------------------

Wed, 03 Aug 2005 15:44:59 +0000 : Dries

-1, the term "access statistics counter" doesn't tell me anything.  The
counters are for posts -- I think that should be reflected in the
permission's name.  Is this different from the 'Count content views'
setting?




------------------------------------------------------------------------

Wed, 03 Aug 2005 20:57:39 +0000 : Robin Monks

/the term "access statistics counter" doesn't tell me anything.  The
counters are for posts -- I think that should be reflected in the
permission's name.  /


Suggestions:
view node access counter
view node view counter
access node view counter
view node hit counter


I rather like "view node access counter".  Dries, would this satisify
you?


/Is this different from the 'Count content views' setting?/


Yes, on two counts.

* These permissions are for users, not for admins.  The count content
views setting changes both
* This setting lets the administrator choose specific groups to see the
counter (eg, moderators, or only registered users)

Robin







More information about the drupal-devel mailing list