Search results should not expose private information

search keywords module is not search.module.

we only accept new features against drupal CVS HEAD (the upcoming 4.8)

a lot of changes were made between drupal HEAD and 4.7
--> i guess it wont apply

reapplied

Not sure how important this is. One some sites it is probably useful to hide the date and author. And on static sites, the content type might be confusing. We'll want to come up with a better description for "extras". Extra's is not exactly helpful for a user. If you mean 'result snippets', write 'result snippets' (or something equivalent). Otherwise I'm cool with this patch.

Search results are already themable, do we really need explicit toggles?

The texts need work though. A description à la "Show the date in the results" is a bit redundant if you do it for every checkbox. How about naming the fieldset "Show in search results:" and removing the descriptions? "Node type" should be "Content type". And "extras" can be better too... perhaps "module-provided fields"?

Shouldn't we use #type => checkboxes for this as well?

I agree this is a non-important feature, but for some people this kind of tweaks can be quite usefull... Anyway, I fixed the texts as you suggested, but I also moved the form to the theme settings page following the example of post information settings.

Tweaking your site using settings is always easier and accessible to non-developers / non-designers. It's a useful feature IMO, and the code looks fast and elegant.

At least, the first patch looked elegant. The second patch seems rather complex ... not sure this ought to be a theme setting.

It's back on the search settings page...

...and ready for review...

This patch works well for me. I like it.

However, I'd like the search module to also care about the theme settings (as in theme_get_setting('toggle_node_info_' . $node->type)). If a node type requires not to display post information, I think the search results should not show such information. Maybe this is a separate issue though.

A bit late to try to revive this issue, but who knows? ;-)

Re-rolled the patch (not taking into account my comment in #11).

Marking http://drupal.org/node/107506 as a duplicate.

Furthermore, per content type setting from theme configuration could be imposed, as pointed on above link?

Yes, I'll make a new patch to take the theme setting into account. I also need to rename the new 'search_result_node_info' variable; it is misnamed because this setting does not apply only to nodes. I should have kept the same name as the previous patch. ;-)

This new patch takes theme settings into account and uses a proper variable name.

Removed an unwanted whitespace.

If anyone is interested in getting this frequently requested feature in Drupal 6, please review and test the patch before the code freeze (June 1st). It's a small and easy patch! :-)

This usage of t()/l() is incorrect.

Fixed!

Umm, use this patch instead.

Targetting D7, although the patch still works on D6 at the moment.

Would consider the 'post information' displayed on search result pages as a bug. It's really odd, because you don't want to show who created a content page; and if you have search module enabled, anyone can do a query and find the actual author and date of publishing. An example: Handbook pages on drupal.org.

If we can at least create a patch against search.module for Drupal 6.x-dev for respecting the "Display post information" settings in theme configuration, as a part of bug fix actually.

Good point! Here's the patch. ;-)

The patch is to the point for the actual bug fix!! If there's anything else demanded(except a comment?), that would be a feature request most probably. The patch attempts the minimal and best so far:

Hopefully, this is getting in soon. :)

Brilliant idea to apply the node toggles here, it is in fact a bugfix this way :) A line of comment would be good though.

Added a comment.

If the patch still applies, anyone going to commit? :)

It still applies. ;-)

Not any more it doesn't.

I looked at a few of the patches in the comments above, and the latest patch now looks incomplete. Fixing the latest patch to use search-result.tpl.php is trivial (patch attached), but someone else should add the settings form back. Was this dropped intentionally?

As of today, the settings form is there (in admin/build/themes/settings). However, the above patch did not work because $info_split['type'] is a "search type", and the patch seemed to expect a node type instead.

It could be nice to keep the template simple, so I'm proposing this new (and tested) patch that does not affect the tpl file.

tested:
1. tried mixed search, result contains node types with and without post info
2. tried to write print $info_split['user'] into tpl file, to get php error

works without any problem and code looks good

changed patch to apply from drupal root

no, sorry it does show php notice for test #2

search-result.tpl.php

* Since $info_split is keyed, a direct print of the item is possible.
* This array does not apply to user searches so it is recommended to check
* for their existance before printing. The default keys of 'type', 'user' and
* 'date' always exist for node searches. Modules may provide other data.

this is the minimal set of keys required.

@Pasqualle: Thanks for the testing! However, the conditions you've added in your last patch are redundant, and I don't think they're of any use. As you have quoted above regarding $info_split:

This array does not apply to user searches so it is recommended to check for their existance before printing

Checking for existence means using isset() in the tpl file if it needs to use a value from $info_split. The default search-result.tpl.php as it stands now does not use $info_split, and there are no PHP warnings or notices.

My recommendation would be to go with the patch at #34.

read further please

The default keys of 'type', 'user' and 'date' always exist for node searches.

As I read it, the whole description, there are keys like comment and upload and other possible module generated keys which are not guaranteed to be set, but these 3 are always set.
Of course if you examine the code closely, it was not guaranteed even before the patch, but that is a bug, as I understand.

It is basic requirement for css only themes to set all variables used, otherwise you will get php notices.

If you want to go with patch #34, then comment in search-result.tpl.php must be modified also.

Ah, yes... Good catch!

Except for 'type', 'user' and 'date', any value in $info_split already has to be checked for existence, so it seems more consistent to do the same for 'type', 'user' and 'date' as well. At least that's what the patch at #34 implied. This new one changes the comments in search-result.tpl.php to reflect this logic.

still applies.

LIVE FROM THE MINNESOTA SEARCH SPRINT: This patch still applies and works.

LIVE FROM THE MINNESOTA SEARCH SPRINT

Changing the title to better reflect the issue.

Currently, search results reveal authorship and other 'post' information, even if a site admin has elected to hide this information in the theme settings. This could be construed as an information leak.

This patch fixes that issue, by checking whether the theme allows post information to be displayed before populating the search results.

LIVE FROM THE MINNESOTA SEARCH SPRINT

Reviewed code; variable setting code in template_preprocess_search_result() is now executed conditionally for non 'node' type results or node types for which 'toggle_node_info_' is set.

Tested as follows:

* Before the patch is applied, all post information is displayed for all node types in search results

* With patch applied, enabled 'display post information' for a given set of types. Typed a search term which displays results encompassing all node types. Only the types for which 'display post information' is enabled now have post information displayed in search results. Tried this for several different combinations of types.

puregin: can you try writing a simpletest for this? It shouldn't be too hard.

puregin: can you try writing a simpletest for this? It shouldn't be too hard.

Hi,
This weekend PHP Quebec organized a Code Fest; I used this occasion to write a simpletest to test the presence of node info in the test result. Here is the new patch for the module.