Jump to:
| Project: | Diff |
| Version: | 6.x-2.x-dev |
| Component: | User interface |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
| Issue tags: | access denied, diff, permissions |
Issue Summary
I have a site that has different roles for an editorial process. Simply, "Author" (someone that creates an unpublished node), "Editor" (someone that has full access and revision control over a node to make comments and edits), and a "Publisher" (someone who can publish the node).
When an Editor is logged in, they receive an "Access Denied" error when viewing the diff of revisions for an unpublished node for which they are not the author. If they are temporarily changed to the author of the node (an undesirable step) or if they publish the node (unacceptable, since the public would see unedited content), they can view the diff of the revisions.
For clarity and completeness, "Editors" have the following permissions, as pulled from the permissions table:
skip CAPTCHA, create chat rooms, create chats, edit own chat rooms, clone node, clone own nodes, edit field_date, edit field_post_type, create forum topics, delete any forum topic, delete own forum topics, edit any forum topic, edit own forum topics, access content, create post_pplvr content, delete any post_pplvr content, delete own post_pplvr content, edit any post_pplvr content, edit own post_pplvr content, revert revisions, view revisions, override post_pplvr authored by option, override post_pplvr authored on option, search content, upload files, view uploaded files, access workflow summary views, schedule workflow transitionsNote that there are permissions for a "post_pplvr" type and its fields, for which they should have full access. I don't think that I've missed anything...
This issue occurs with version 6.x-2.0 up through 6.x-2.1-alpha3.
It also seems counter-intuitive to present the option to view a diff just to land on an "Access Denied" page. Is this a good time to consider a "view diffs" permission?
I'm working on several things for this project, so I don't really have time to delve into the diff module's code. If I can find some time or if this becomes a larger priority for us, I will return with any findings.
Thanks for any help anyone might have. :)
Comments
#1
I had been experiencing the same problem with 2.1-a3, I recently gave the 2.x dev a go to see if there were any changes and now it simply gives a WSOD to me when trying to view a pending revision. Otherwise it still works fine.
#2
I use http://drupal.org/project/view_unpublished for granting permissions to viewing unpublished nodes.
I have submitted a patch to #500432-12: Allow access to view unpublished revisions (and revision tab) that adds support to the diff module. Not sure if it will be accepted
#3
I'm running into the same situation. And I tried out view_unpublished hoping it would solve this for me.