This patch adds an extra permission 'access recent posts tracker' to the permissions system of drupal. Now, if people have 'access content' permission, they do _not_ automaticcally have access to the 'recent posts' tracker..

I would like to use the 'recent posts' or registered users on my sites only, and I'm quite tired of patching this with every release of drupal. I hope you guys agree with me, and help me get this small patch in.

Please review, comment or apply...

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Stefan Nagtegaal’s picture

Cvbge told there was a typo:
'Implementatino' => 'Implementation'..

Rerolled and ready for more reviews...

Stefan Nagtegaal’s picture

Status: Needs review » Reviewed & tested by the community

Setting to 'patch (ready to be committed)', because I'm using and testing this patch since tracker.module is in core...

Works as advertised, so please apply if you think the functionality is missing in core..

Boris Mann’s picture

Sorry, but I can't see the use of this. Why would you not want to give all users (and especially search engines) a view of all activity on the site?

Just seems like we are mushrooming permissions.

Dries’s picture

Status: Reviewed & tested by the community » Postponed

I'm with Boris on this one.

intu.cz’s picture

I have come across the same problem and used path_access to solve it (but uncovered a different problem: the 403 access denied page that came up was in the wrong language - English instead of Czech - and I haven't managed to find a tracker.module issue page to submit there).

Now to the point: there clearly is a need for this. Imagine a corporate site where the admin has switched off the submitted by Username on date text when displaying posts in the global settings for Themes. The reason is simple: there is no need to show who wrote what - it's corporate communication. So here goes a cheeky nosy person, writes http://website.com/tracker and all the secret is out. All the kinky usernames...

Another reason might be security: when you want to hide usernames (some of them might be "unpublic", to put it mildly), the tracker page throws them into the open. Hiding usernames might be good for people concerned with malicious login attempts. No visible usernames seems safer to me in certain places...

Well, just my opinion on the use for a feature like this... (BTW: where should I file an issue concerning the tracker.module?)

here’s picture

Status: Postponed » Active

If any sort of permissions are enable on a site, the title+time+user is far too much information to be giving out to anonymous users who shouldn't even know that content exists. This is only an issue if one considers permissions based access to content important -- and an obvious and serious issue when one does.

See here for extended further discussion: http://drupal.org/node/28653

In my case, perhaps not directly applicable to this core patch, but the same problem -- taxonomy_access fails miserably here as well.

Pardon me for returning status to active -- scold as necessary.

LAsan’s picture

Version: x.y.z » 7.x-dev

Stefan Nagtegaal: Can this patch apply in cvs?

Moving to cvs.

Stefan Nagtegaal’s picture

Status: Active » Closed (won't fix)

@LAsan: Please read the issues before bumping things to new versions or any of that. Damned!
You are making drupal.org mailinglist quite busy these days, without any value you add.

If you *did* actually read this issue, you could have seen in #4 that Dries was against this change, so it could be marked as Wont fix.

Now, please stop this annoyance by going through issues without even reading/testing things and just bumping things from version to version and asking most stupid questions!!

fletchgqc’s picture

I feel this functionality would be genuinely useful. Stefan is it technically feasible to create a module for it?

Boris Mann’s picture

You can do this today by turning off core "tracker" module, and using the Views version of "tracker / recent posts" instead. Modify the view to only allow access by the roles you want to be able to see it. Done.

fletchgqc’s picture

Thanks, I'll give that a shot.

agerson’s picture

Version: 7.x-dev » 6.x-dev

I too would like this permission to be included as part of tracker core in a 6.x release. I would like a way to show designated content authors their posts, but not the average user of my site. I will have a look at the patch and the views options.

izmeez’s picture

In Views the Tracker view is disabled by default. If you enable that view the permission can then be changed from the default of unrestricted to multiple by role or by permission. But when you do this, you are still using the core Tracker aren't you?

There are several other views that may also need similar attention if you are using Organic Groups. e.g. the "og" view and "group/tracker", and if enabled "popular/all"

The bottom line is to check the settings for all Views on the site. Otherwise, this can leave content exposed to the public that should be private.

I'm not sure how this should be handled by default to prevent the problem.

Thanks,

Izzy

v8powerage’s picture

FileSize
1.95 KB

I made tracker permission patch for D6.