I just discovered that the way general permission 'view revisions' from the node module which is required by the Revisioning Module gives access to all revisions of any node content-type, published or not, to Roles that should not have this access.

Let me give an example to clarify.

On my site, I have 4 roles
Page Contributors - for users to add static content to the site
Page Moderators - to moderate (edit and publish) posts of Page Contributors and to make their own page posts
Bloggers - for users to post blog posts
Blog Moderators - to moderate (edit and publish) posts of Bloggers and to make their own blog posts

All roles have the permission "View Revisions" which is required by the Revisioning Module in order to access revisions.

So for example, a Page Contributor creates a "Policies Page". The Moderator approves it, and it gets published so it is now viewable to all Anonymous and Authenticated users.

A user now with the Blogger Role views that "Policies Page" and because they also have the "View Revisions" permission, they are given the tabs to "View Revisions" from which they can view all past revisions of the "Policies Page", even those that were never published and should have only been seen by the Page Author and Page Moderators based on work flow states.

Right now, I don't know what the solution to this is, but it's a big gapping hole in my set-up. I've marked this as a bug report because, but I don't know if the solution is through coding of the module or something else.

Hope I've stated the problem clearly enough.

Steve

Comments

wickwood’s picture

wickwood commented

I'm thinking that to solve this will require "view permissions" for each content-type that can be assigned by role similiar to the patch solution for unpublished content found in http://drupal.org/node/490580#comment-1728898

Steve

rdeboer’s picture

rdeboer
Location Melbourne
commented

Hi Steve,
This does indeed need to be looked at.
Just so that I have all the parameters correct... Does this occur with Revisioning by itself, or are there other modules in the mix, like Workflow perhaps?
Rik

wickwood’s picture

wickwood commented

Hello Rik,

I'm using both Workflow, TAC-lite (used for restricting which roles can access certain Calendar Event and Poll node types, and this is working) as well as Rules (used to publish and unpublish nodes based on Workflow States) as I've outline in my other posts. (I'll have to find those posts to link to, and edit this post later with those.)

But I think the real breakdown is with Workflow and Revisioning.

For all of my node types I have 4 Workflow States:

  1. in draft - only the author can edit
  2. in review - only moderators can edit
  3. live - viewable to all, authors and moderators can make new revisions
  4. Unpublished - only moderators can view and edit

Also, each node type has similar access settings to this:

  • State: in draft - only the author can edit
    • Roles who can view posts in this state:
      • anonymous user
      • authenticated user
    • Roles who can edit posts in this state:
      • Webmaster (the Super User Role with permission to do everything)
      • author
    • Roles who can delete posts in this state:
      • Webmaster
  • in review - only moderators can edit
    • Roles who can view posts in this state:
      • anonymous user
      • authenticated user
    • Roles who can edit posts in this state:
      • Moderator - (for content-type, i.e Blog, Page, etc.)
      • Webmaster
    • Roles who can delete posts in this state:
      • Webmaster
  • live - viewable to all, authors and moderators can make new revisions
    • Roles who can view posts in this state:
      • anonymous user
      • authenticated use
    • Roles who can edit posts in this state:
      • Moderator - (for content-type, i.e Blog, Page, etc.)
      • Webmaster
      • Author
    • Roles who can delete posts in this state:
      • Webmaster
  • Unpublished - only moderators can view and edit
    • Roles who can view posts in this state:
      • Moderator - (for content-type, i.e Blog, Page, etc.)
      • Webmaster
    • Roles who can edit posts in this state:
      • Moderator - (for content-type, i.e Blog, Page, etc.)
      • Webmaster
    • Roles who can delete posts in this state:
      • Webmaster

And I think what is happening is that once a node is put in the 'Live' workflow state and the latest revision is published, now anyone with the "View Revisions" Permission can now see all of the revisions made for that node post.   So associated workflow states to any particular revision are applied to all revisions.

Access to unpublished material is handled by the patch: http://drupal.org/node/490580#comment-1728898

What I expect to happen, or should say want to happen, is restrict the access to revisions for any given node to the Author, the Moderators for that Content Type, and the Super Webmaster.

After I finish some other work, I'm thinking of trying to setup a new Rule to work around this problem. I'll let you know how that works out.

Hope that helps your ruminations on this!

Steve

rdeboer’s picture

rdeboer
Location Melbourne
commented

Hi Steve,
Pretty advanced stuff!
I understand that in order to make things work for you, you want to add additional Rules (Rules module), but you shouldn't have to. The Workflow access grants should be able to cover this situation.

Have you tried what I suggested in another thread, that is to uncomment those two lines in Module Grants that start with //drupal_set_message(...?
By doing this you'll get some debug info at the top of your screen as you click around on your site. It will tell you which module is granting/denying access to the logged-in user for each visited piece of content.
That should help us in narrowing down the problem.
Rik

crea’s picture

crea commented

#513078: Flexible revision permissions. is related (or duplicate)
I think you can't solve this using Rules module. We just need new, more flexible revisions permissions

wickwood’s picture

wickwood commented
Status: Active » Fixed

Yes, this a duplicate issue of , or rather, that one is a duplicate of this one.

But either way, the patch you created Crea seem to solves my issue!
Patch posted in this comment:
http://drupal.org/node/513078#comment-1795926

Thank you very much for your hard work. I guess sometimes it pays to get distracted away for awhile!

This set of modules is really becoming the best of the best for revisioning and moderation thanks to the community effort.

I'm marking this issue as fixed.

Steve

rdeboer’s picture

rdeboer
Location Melbourne
commented

Great Steve and crea!
Will endeavour to check in the patch as soon as I can.
Rik

rdeboer’s picture

rdeboer
Location Melbourne
commented
Status: Fixed » Closed (fixed)

Checked into repository as per #513078: Flexible revision permissions. patch.
Rik