Rating widget is shown even when user does not have "view ratings" permission

Priority critical for a display problem that doesn't have any functional implication? Oh well ...

Here is the code patch to implement this feature:

At line 274 of the current version of fivestar.module:

function fivestar_nodeapi(&$node, $op, $teaser, $page) {
global $user;

  switch ($op) {
    case 'view':
      if ( $user->uid == 0 and !user_access('rate content') ) {
        return;
      }
      if ($node->in_preview == FALSE && variable_get('fivestar_' . $node->type, 0)) {
        if ($teaser) {
          ....

Here's the better patch, one that works for all role permissions and is set up to allow future Javascript support of different form behavior based on "view ratings" and "rate content" permissions:

function fivestar_nodeapi(&$node, $op, $teaser, $page) {
global $user;

  switch ($op) {
    case 'view':
      if ( !user_access('view ratings') ) {
        return;
      }
      if ($node->in_preview == FALSE && variable_get('fivestar_' . $node->type, 0)) {
        if ($teaser) {
          ....

Doh - forgot we don't need $user anymore... and, since we are down to one conditional, we can just add it to the if statement already in place. Here's an even better patch, same place in the file:

function fivestar_nodeapi(&$node, $op, $teaser, $page) {
  switch ($op) {
    case 'view':
      if ($node->in_preview == FALSE && variable_get('fivestar_' . $node->type, 0)
           && user_access('view ratings')) {
        if ($teaser) {
          ....

This tested fine on my site. The "view ratings" permission now overrides the "rate content" permission, so presently, the logic is: if you aren't allowed to see the ratings then you aren't allowed to vote.

This patch works for removing the whole form when viewing is not allowed. However, this isn't how I imagine the function should work.

When viewing is allowed the current rating should be shown at least. If voting by authenticated users is allowed a message such as, 'Login to vote' should then be shown. Or of course the 'Your Vote' part if the user is logged in.

Indeed, this a fairly significant (and misleading) bug. It did something very, very early in development, but has just sat there ever since.

raintonr has some good suggestions on usability that would be good to include in this request. Also, an update function in the .install file will be necessary for this request, since the access permission currently doesn't do anything, it should be enabled on all sites during the upgrade process.

Also, please submit changes as patches: http://drupal.org/patch/create

• +1 for showing current score only to users with "view ratings" permission.
• -1 for "login to vote..." link.
  1. I'm using fivestar for an internal editorial process, where this doesn't make sense
  2. The immutable-without-theming "login to post comments..." link on every node in core is awful, don't copy awful.

#2 could well be an option in the fivestar admin page [x]'show "login to vote..." links", but it should go in as a separate patch.

...
time passes
...

Well I had a patch going but then I saw that the summary results are being done on the client-side. This makes no sense to me, since they are already being calculated on the server and sent over the wire by fivestar_vote() in the "" tag. How about we just display the contents of that tag so we don't need so much javascript? (yes, javascript is pretty)

Here is the beginning of a patch. I shifted all of the '#type'=> 'hidden' form elts to 'value', which prevents them being sent to the client (since they shouldn't be). This breaks the javascript markup generation for the results, but since a markup string for the result is already being passed back, this code is redundant. If somebody wants to finish this by fixing the JS I'll work on it more.

• Checks both perms
• Allows voting without seeing results, seeing results without voting, neither
• The JS is broken so it doesn't show "your vote was successful" for the case of voting without seeing.

I'm still interested in committing this if we can finish the work. edrex's last patch made good headway but has some additional problems also:

The

  if (strpos(drupal_get_js(), "jQuery('input.fivestar-submit').hide()") === FALSE) {
    drupal_add_js("jQuery(function(){jQuery('input.fivestar-submit').hide();});", 'inline');
  }

needs to stay intact, as fivestar_form() is meant as a public function that can be called independently. We need to ensure the javascript is always added if the form is being displayed.

Second, this will need an _update hook in fivestar.install. We'd have a lot of shocked users if no one could see the results suddenly! It should just set the permission "view fivestar results" to TRUE for all roles, since this is effectively what the current setting is.

I've removed the 'view rating' permission entirely for the time being, since it doesn't do anything. This makes this thread a feature request. :)

I agrre with raintor. This is the behavior adapted in community portals (e.g. see in youtube.com - when you are not logged in you can only view the rating and you get a message to login in order to be able to vote...)

I'm with raintor and ekrispin; stars should be hidden with some t() text to the effect of "login to vote"

Has someone managed to adjust Fivestar functionality to the popular way of allowing all to view the average score and displaying 'Login to vote' for anonymous users?

In order to get the static version of the stars to show for users without rating access, I simply checked for user_access('rate content'), and if it returned false, I fall through to the static version instead of calling the form.

Attached is the patch.

May I suggest this patch instead (operates inside fivestar_custom_widget() - same effect, but also handles the case where fivestar_widget_form($node) is called directly)

I committed #13 with some enhancements. If the display is set to the 'smart', 'combo', or 'user' styles but the user is not allowed to vote, the static version falls back to average. There wouldn't be much point in displaying the user's rating if they weren't allowed to vote!

yched, I didn't use the approach in #14 because not displaying the vote widget would only work if the display was 'dual', because then the static widget is already loaded. In all other cases it would prevent any thing from displaying at all.

I didn't add a 'login to vote' text because like edrex mentioned, it doesn't make sense in all cases. What if only moderators or site admins are allowed to vote? Telling a user to login to vote is misleading. If we can come up with a sound solution we'll implement it, but in the mean time you can over ride theme_fivestar_static_element() to display a message when the description is empty and the current user is anonymous.

I'm keeping the issue open because we haven't yet addressed the 'view ratings' permission. Any takers to put the final nail in this one?

[edit] nevermind, I wasn't looking at cvs head

Looks like there's a patch for 'view ratings' permission in progress here: http://drupal.org/node/221181, we'll continue discussion on that topic there.

+1 to display "login to vote" as an OPTION in the module configuration.

You're right that it does not apply to all cases, like in the example you gave above, but I think the majority of Drupal developers implement fivestar for authenticated users and not just moderators or administrators.

I think it would be a really good option.