[drupal-devel] [bug] node revisions should only be viewable by admins

[jakeg]

Issue status update for 
http://drupal.org/node/30098
Post a follow up: 
http://drupal.org/project/comments/add/30098

 Project:      Drupal
 Version:      cvs
 Component:    node system
 Category:     bug reports
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  killes at www.drop.org
 Updated by:   jakeg
 Status:       patch (code needs review)

+1


I would also like to see the extra permissions added if possible: 


'view node revisions' - just for viewing node revisions


'administer node revisions' - to delete node revisions or set them as
default revision (i.e. current revision) for a node


I think this patch is important because e.g. if a revision is made
because sensitive information was included in a past revision, such as
a phone number, plain text email address (someone stupid didn't know
about spammers or the contact form) then these should definitely NOT be
accessible, and it would often be desirable to create a new revision to
a node rather than to edit the current copy without creating a
revision.




jakeg



Previous comments:
------------------------------------------------------------------------

Wed, 31 Aug 2005 13:36:19 +0000 : killes at www.drop.org

Attachment: http://drupal.org/files/issues/node_rev.patch (1.27 KB)

With or without the revisions patch, every user who can access content
can access old revisions. I think this is a bug because why would you
need to see old revisions if you cannot change them or make them the
current revision?


The attached patch fixes this and lets only users with "administer
nodes" permission see old revs as you need this permission to change
revisiosn to be the current one.


One might make a case for introducing new "view revisions" and "set
revisions" perms. You woud need those if you wanted to mimic a wiki
with Drupal.