The Recent Changes module and associated RSS feed shows all changes made to the site to all users. If a user is not allowed to access some content he / she should not be presented with a link to it in the recent changes, and should not be included in the recent changes RSS feed. Only nodes which can be accessed by the logged-in user should be seen.

To fix the RSS feed problem the feed will need to be an authenticated feed.

(Note, this is the 5.x version of http://drupal.org/node/133676)

Comments

reikiman’s picture

reikiman commented

Subscribing ... I have the same issue in that it's a useful feed, but I have non-public stuff on my site which has limited access.

In the 4.7 thread for this bug it's mentioned a possibility of using authentication. e.g. a non-authenticated request would only show the public content, and an authenticated request would show more depending on the authenticated user ID. That makes sense and there are no doubt some calls the module could make to determine the access rights to each thing.

Oh, would this help w/ authentication: http://drupal.org/project/tokenauth ??

leop’s picture

leop commented

I wrote a patch that fixes this, and several other things. See:

http://drupal.org/node/220801#comment-730235

rötzi’s picture

rötzi commented

I added now a "access recent changes" permission to view the "recent changes" page. Also I added the db_rewrite_sql statements. Can you please test if it works?

Use the DRUPAL-5 branch for the fixed version.

Also see #226304: Access checking broken!

fuzzy_texan’s picture

fuzzy_texan commented

Apologies for the delay in getting around to testing this. I tested this in 5.x-1.2.

The feed now shows "You do not have access to view this" (or something to that effect - I don't have the screen in front of me now). As discussed in http://drupal.org/node/226304, it would be better if unauthorised users didn't receive the entry in the feed at all (with the check being done in http_auth, or securesite).

leop’s picture

leop commented

@rötzi: can we proceed with implementing and releasing

http://drupal.org/node/226304#comment-750398 ?

This patch solves many of the problems of this kind users might encounter. If you don't have time I can do it myself, but I just started learning the Drupal rules for CVS so I'm not entirely confident I can do it right the first time.

@fuzzy_texan: just be patient..., or apply http://drupal.org/node/226304#comment-750398.

fuzzy_texan’s picture

fuzzy_texan commented

Any updates on this leo or rötzi (or anyone else who could help)?

christefano’s picture

christefano commented
Status: Active » Closed (duplicate)

The patch linked to in comment #5 fixes this issue. I'm marking this issue as a duplicate.