[drupal-devel] [bug] Statistic information about node reads is shown to unprivileged users

[Robin Monks]

Issue status update for http://drupal.org/node/22565

 Project:      Drupal
 Version:      cvs
 Component:    statistics.module
 Category:     bug reports
 Priority:     normal
 Assigned to:  Robin Monks
 Reported by:  massabob
 Updated by:   Robin Monks
 Status:       patch

I tested this patch with various settings on my local install and it
worked fine.


Robin




Robin Monks



Previous comments:
------------------------------------------------------------------------

May 11, 2005 - 07:51 : massabob

Information about '%count reads' in node's footer is shown to
unprivileged users. I suggest that function statistics_link in
statistics.module should be corrected in this way:


// Original


function statistics_link($type, $node = 0, $main = 0) {
  global $id;


  $links = array();


  if ($type != 'comment' && variable_get('statistics_display_counter',
0)) {
    $statistics = statistics_get($node->nid);
    if ($statistics) {
      $links[] = format_plural($statistics['totalcount'], '1 read',
'%count reads');
    }
  }
  return $links;
}


// Fixed


function statistics_link($type, $node = 0, $main = 0) {
  global $id;


  $links = array();


  if ($type != 'comment' && variable_get('statistics_display_counter',
0) && user_access('display statistics')) {
    $statistics = statistics_get($node->nid);
    if ($statistics) {
      $links[] = format_plural($statistics['totalcount'], '1 read',
'%count reads');
    }
  }
  return $links;
}


The only change is in "&& user_access('display statistics')" on line
98.




------------------------------------------------------------------------

May 27, 2005 - 01:44 : rbarreca

Should read user_access('access statistics') not user_access('display
statistics').




------------------------------------------------------------------------

May 27, 2005 - 11:19 : Robin Monks

Attachment: http://drupal.org/files/issues/user.access.stats.patch (730 bytes)

And here that is in patch form.


Robin




------------------------------------------------------------------------

June 1, 2005 - 04:09 : Steven

I'm not sure about this patch: often, read counts are shown directly on
the site. But if the permission for viewing the counts is the same as
the permission for accessing the administrator's detailed logs, then
you wouldn't give that to everyone.


There is already an option to choose whether counts are displayed.
Perhaps we could change that to "No" "For priviledged users" "For
everyone". In last case it acts like it is now, it the second case it
requires "access statistics" permission.


What do you think?




------------------------------------------------------------------------

June 1, 2005 - 14:13 : Robin Monks

Sounds good to me.  I'll try to code something up for this.


Robin




------------------------------------------------------------------------

June 9, 2005 - 13:55 : Robin Monks

Attachment: http://drupal.org/files/issues/authstats.patch (2.26 KB)

Here is the patch.  Uses a switch to choose between signed in users, all
users, users with permissions or noone.


Robin