Sorry to be so blunt, but I am still in shock that the Drupal.org crew would do such a thing, and double the shock because this 'feature' has been sitting there for now 6 revisions of the 4.7 code and no one has corrected it.

I upgraded from the CVS sources yesterday, it all went well, but later got an email from a user asking why I had exposed the "Ban" button. Ban button? Oh, I thought, that must be because the user in question was a priviledged user. But no, this morning I loaded up my test site and there it was in the Anonymous default menu: Top Visitors, and under that click, with Googlebot naturally at the top of the list and all sorts of personal IP information exposed publically, and beside each, the word "Ban" -- naturally when you click this you get "access denied" but that only means bad user experience design because the Ban button shouldn't be there in the first place, and the Top Visitors button most certainly should not be exposed to crawlers and any anonymous visitors. I went into the menus admin and there the only option appears to be to disable the menu for everyone, so of course I did.

But that wasn't the shocker.

Is Drupal now a strong supporter of referrer spammers????

I couldn't believe it: there on the default Anonymous menu I also find Top Referrers and sure enough, I click through and there I find a most explicit list of porn site URLs!!!

WTF????

Excuse me for being so naiive and I realize that I have not participated in the release discussions in years so I can hardly have cause to complain, but honestly, what were you all thinking of by making this link exposed to the Anonymous account???!!!! I am shocked, shocked and dismayed. What does this say about the software when it steps forth to so boldly support the cause of the referrer spammers? Are you all now spammers? Does Drupal.org get kickbacks from spammers (the way, say, Wordpress was caught doing a while back)? I can't believe that, I really can't believe it.

But there it is, front page, top of the navigation column, right there for every webcrawler to see and click through, there for every child and parent to my site to say "I wonder what this does?" and get themselves an eyefull. I just can't believe it could be done intentionally, but there it is, on all my sites, the default.

Now I am really frightened of upgrading to 5.x

Comments

VM’s picture

I can't seem to duplicate this. I have no top referrers list shown as default in 4.7.6 or in 5.1.

VM’s picture

out of curiosity are you also using the referral module ?

schwa’s picture

I would take this up with the author of whichever referral module you are using; it's definitely not Drupal default behavior.

VM’s picture

Priority: Critical » Normal
Status: Active » Postponed (maintainer needs more info)

Marking as needs more info & changing the priority to normal.

teledyn’s picture

Priority: Normal » Critical
Status: Postponed (maintainer needs more info) » Active

I am still trying to figure out (a) how it got there and (b) how to get rid of it without losing these features for the admin accounts.

Here's my theory: It is there if you make statistics public, which I had done so anonymous visitors would see the "Viewed N times" footnote on stories posted, and so they could see the sidebar of Todays Top and All Time Top stories -- you had to make stats public to get these features in the 4.5 that I had started with.

To upgrade, I cleared out the 4.5 sources and replaced them with 4.6, so there were no modules, none except what is in the distro sources as downloaded from the CVS. I then did the same removing all sources and replace them with the 4.7.6 CVS sources.

I didn't notice because I foolishly didn't try accessing my sites as the anon account; leaving that until morning because it had been a long day.

the Top Referrers and Top Visitors links appeared on 4 out of 6 of my drupal sites; the sites where it didn't appear did not show any top-story sidebar or the view-count, so that's what leads me to believe the values have something to do with making stats public. I checked in the Access Rules and could not find any clear way to make these menu links out-of-bounds, and the only way I could remove them was to edit the menu module to disable those items under the "log" items. It does seem odd that the Log items should become included in the Navigation menu for Anonymous users, but could that be a side-effect of changes to either the menu or to the Logging or even perhaps to the access rules code?

Thanks for the fast response on this -- although I did intentionally word my subject line to draw attention and I apologize for that, but if this happened to me, I would expect those two innocent-looking menu links might appear on a lot of drupal websites, and once crawled by a googlebot, it will indellibly boost the rank of those referer spam sites and associate the victim site with those keywords for both search and AdSense results. I think that makes it a serious hole in the code worth ferretting out and plugging.

VM’s picture

I've never used 4.6, let alone 4.5 I also do not have stats available to the public which would explain why I do not have these menu items showing.

It may benefit to change the title to reflect your situation so that maybe one of the dev's who are more familiar with the old releases of Drupal can comment. Not sure how much support is available on Drupal 4.6 with the release of Drupal 5.

drumm’s picture

Title: Is Drupal Out Of Its Freakin' Mind? » Statistics pages visible to anonymous users
Project: » Drupal core
Version: » 4.7.x-dev
Component: other » statistics.module
Category: bug » support
ScoutBaker’s picture

As of D5.7, this still functions the same. Set the statistics.module access controls for unauthenticated users to:
access statistics = true

The unauthenticated users get the menu options for viewing Top referers, Top vistors, etc. Obviously those users can see who the referers are, and they still see the ban link for the Top visitors.

Under D6.0 this works slightly differently. Setting the permission does not show the menu options at all. However, if you add a menu item that points to the Top visitors (admin/reports/vistors) the unauthenticated user can then access the report and still sees the ban link.

@teledyn: If you are still interested in different functionality, perhaps this should be a feature request for D7.

ainigma32’s picture

Version: 4.7.x-dev » 5.7
Status: Active » Fixed

It seems there is no interest in making this a feature request for D7 so I'm setting this to fixed.

If you think that is wrong somehow feel free to reactivate the issue.

- Arie

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.