[drupal-devel] [bug] node revisions should only be viewable by
admins
killes
drupal-devel at drupal.org
Thu Sep 1 23:55:49 UTC 2005
Issue status update for
http://drupal.org/node/30098
Post a follow up:
http://drupal.org/project/comments/add/30098
Project: Drupal
Version: cvs
Component: node system
Category: bug reports
Priority: normal
Assigned to: Anonymous
Reported by: killes at www.drop.org
Updated by: killes at www.drop.org
Status: patch (code needs review)
Boris, what you propose makes sense to me. I am however waiting for
feedback from Dries before I re-roll this patch.
if we introduce this new permissions, maybe we should factor the
revisions out into their own module?
killes at www.drop.org
Previous comments:
------------------------------------------------------------------------
Wed, 31 Aug 2005 13:36:19 +0000 : killes at www.drop.org
Attachment: http://drupal.org/files/issues/node_rev.patch (1.27 KB)
With or without the revisions patch, every user who can access content
can access old revisions. I think this is a bug because why would you
need to see old revisions if you cannot change them or make them the
current revision?
The attached patch fixes this and lets only users with "administer
nodes" permission see old revs as you need this permission to change
revisiosn to be the current one.
One might make a case for introducing new "view revisions" and "set
revisions" perms. You woud need those if you wanted to mimic a wiki
with Drupal.
------------------------------------------------------------------------
Wed, 31 Aug 2005 13:55:14 +0000 : jakeg
+1
I would also like to see the extra permissions added if possible:
'view node revisions' - just for viewing node revisions
'administer node revisions' - to delete node revisions or set them as
default revision (i.e. current revision) for a node
I think this patch is important because e.g. if a revision is made
because sensitive information was included in a past revision, such as
a phone number, plain text email address (someone stupid didn't know
about spammers or the contact form) then these should definitely NOT be
accessible, and it would often be desirable to create a new revision to
a node rather than to edit the current copy without creating a
revision.
------------------------------------------------------------------------
Wed, 31 Aug 2005 13:55:28 +0000 : Morbus Iff
I disagree. I see revisions as a means of updating a document for the
users. If a user has read the document, then sees that a revision has
been made, I'd want to provide him with some sort of diff that shows
him exactly what, as opposed to making him read the whole blasted thing
over and over again. In essence, I want a a wiki diff between revisions
(for example) [1]. Putting this permission in place would restrict my
ability to do that.
[1]
http://gamegrene.com/wiki/?title=WhereIsWhere&curid=927&diff=0&oldid=0&rcid=4785
------------------------------------------------------------------------
Wed, 31 Aug 2005 13:57:15 +0000 : Morbus Iff
Note to self: actually read the whole report before commenting.
-1 to JUST this patch. +1 to view/set revisions.
------------------------------------------------------------------------
Wed, 31 Aug 2005 13:59:13 +0000 : jakeg
good point #2 morbis, but the revisions tab isn't accessible to normal
users anyway... they only get to see the revisions if they know the URL
to get there (?revision=x in 4.6; /revisions/x in head)
but i agree that its definitely better with the extra permissions
------------------------------------------------------------------------
Thu, 01 Sep 2005 19:39:54 +0000 : robertDouglass
Please don't lump it in with administer nodes, please make a new
permission.
------------------------------------------------------------------------
Thu, 01 Sep 2005 21:02:15 +0000 : Boris Mann
Yes, please make this a separate permission.
In actuality, the use cases for viewing revisions probably needs a
permission *per node type*.
E.g. a site uses "story" for front page content. Editors some times
revise stories, but don't want those revisions public. The same site
uses book pages like a wiki. It gives all users create/edit/maintain
book privileges, and additionally wants them to be able to see
revisions.
So, if we don't enable viewing revisions for node type, I would hope
for a way to override this at the node type/module level -- so a custom
wiki.module could automatically add a "view revisions" permission.
More information about the drupal-devel
mailing list