I have noticed that the Recent Changes module shows all changes made to the site to all users. If a user is not allowed to access some content - for example, posts made to private forums (forum access module) or private nodes (nodeaccess module) - he should not be presented with a link to it in the recent changes overview. Only nodes which can be accessed by the logged-in user should be displayed.

Comments

rötzi’s picture

rötzi commented

I have added the node access check in the new dev version. Can you test it and tell me if it works for you?

Dio-1’s picture

Dio-1 commented

No, unfortunately it doesn't work at all. Pages which the current user isn't allowed to see are still shown. Additionally, every single entry is shown twice now (!).

John Maughan’s picture

John Maughan commented
Version: 5.x-1.1 » 4.7.x-1.0

I have the same problem with the Active Forum Topics in a Private forum. The problem seems to be user specific. If these users post a topic to a private forum it automatically becomes public and is displayed in the active forum topics block. For other users this does not happen. I have checked the user profiles and they look exactly the same - indeed I created a brand new user with the same profile and access settings as my own - the new user exhibited the problem but my own account does not.

Please help we are trying to use Drupal as a unified public/private collaboration platform but if "private" messages are displayed publically then half of the objective cannot be met :-(

Christefano-oldaccount’s picture

Christefano-oldaccount commented
Priority: Normal » Critical

Recent Changes doesn't seem to respect node access (in my case it's OG's access controls).

fuzzy_texan’s picture

fuzzy_texan commented

Any fix to the privileges in recent changes would need to contain a fix for the RSS feed for it to require authentication. As it stands the feed is either authenticated or not depending on the feed reader you're using, and whether it recognizes your logged in cookie. I'm using

A better solution would be to make the feed require authentication so you can tell your reader that you are a specific user, and the feed will then only output recent changes that your user can see.

Edit: Just out of interest, this ticket's version is listed as 4.7. Should there be another ticket for 5.x, or do we just have one ticket and fix it in two places (bit messy)

reikiman’s picture

reikiman commented

For 5.x see http://drupal.org/node/217262

And now that 6 is out there should be a 6.x version..?

leop’s picture

leop commented

I wrote a patch that fixes this (at least in 5.x), and several other things. See:

http://drupal.org/node/220801#comment-730235

maybe a backport to 4.7 is needed.

christefano’s picture

christefano commented
Status: Active » Closed (duplicate)

Holy smokes, the patch at http://drupal.org/node/226304#comment-750398 makes Recent Changes usable with node access! I'm marking this issue as a duplicate.