The stat counter display used to be restricted both by the statistics_display_counter global setting, and the current users access right to statistics. Since this access right is kept in the HEAD version of the module, I doubt it was not intended to only print out the view number to those with proper access rights. This simple patch adds the proper check.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Dries’s picture

Shouldn't that be user_access('access statistics') instead of array('access statistics')? (Easy enough to fix.)

Note that 'access statistics' allows access to the administration pages so I'm not sure this patch is a good idea.

Food for thought/dicussion.

Gábor Hojtsy’s picture

Yes, I meant user_access(), sorry. There needs to be a way to hide the view counters from those not authorized. Now if the view counters are turned on, everyone can see the view counters, regardless of their rights. If the counters are turned off, then noone can see the view counters. This used to be working that only those with proper right can see the counter if the counter is turned on. IMHO this should be restored.

killes@www.drop.org’s picture

Patch not ready.

Uwe Hermann’s picture

Status: Active » Needs work
Jaza’s picture

Version: x.y.z » 4.7.x-dev
Status: Needs work » Closed (fixed)

This patch is no longer needed, as statistics.module now has a 'view post access counter' permission, and this permission is checked in statistics_link().