Recent Changes module shows changes for pages which the logged-in user is not allowed to see
Dio - April 4, 2007 - 13:22
| Project: | Recent Changes |
| Version: | 4.7.x-1.0 |
| Component: | User interface |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | duplicate |
Jump to:
Description
I have noticed that the Recent Changes module shows all changes made to the site to all users. If a user is not allowed to access some content - for example, posts made to private forums (forum access module) or private nodes (nodeaccess module) - he should not be presented with a link to it in the recent changes overview. Only nodes which can be accessed by the logged-in user should be displayed.
#1
I have added the node access check in the new dev version. Can you test it and tell me if it works for you?
#2
No, unfortunately it doesn't work at all. Pages which the current user isn't allowed to see are still shown. Additionally, every single entry is shown twice now (!).
#3
I have the same problem with the Active Forum Topics in a Private forum. The problem seems to be user specific. If these users post a topic to a private forum it automatically becomes public and is displayed in the active forum topics block. For other users this does not happen. I have checked the user profiles and they look exactly the same - indeed I created a brand new user with the same profile and access settings as my own - the new user exhibited the problem but my own account does not.
Please help we are trying to use Drupal as a unified public/private collaboration platform but if "private" messages are displayed publically then half of the objective cannot be met :-(
#4
Recent Changes doesn't seem to respect node access (in my case it's OG's access controls).
#5
Any fix to the privileges in recent changes would need to contain a fix for the RSS feed for it to require authentication. As it stands the feed is either authenticated or not depending on the feed reader you're using, and whether it recognizes your logged in cookie. I'm using
A better solution would be to make the feed require authentication so you can tell your reader that you are a specific user, and the feed will then only output recent changes that your user can see.
Edit: Just out of interest, this ticket's version is listed as 4.7. Should there be another ticket for 5.x, or do we just have one ticket and fix it in two places (bit messy)
#6
For 5.x see http://drupal.org/node/217262
And now that 6 is out there should be a 6.x version..?
#7
I wrote a patch that fixes this (at least in 5.x), and several other things. See:
http://drupal.org/node/220801#comment-730235
maybe a backport to 4.7 is needed.
#8
Holy smokes, the patch at http://drupal.org/node/226304#comment-750398 makes Recent Changes usable with node access! I'm marking this issue as a duplicate.