Problem/Motivation

There is no way of distinguish access permission of the tracker modules track tab. Currently the "access content" permission is used to access the track tab on the user page. The intention is to refine this.

Proposed resolution

The patch in #45 adds these three permissions:

  • access global tracker
  • access other user's tracker
  • access own tracker

Remaining tasks

The given patch has to be reviewed and tested by some more people to be able to be set RTBC.

User interface changes

Added permission on the administer permission page.

API changes

No changes.

Original report by gaellafond

Hi,

It seem that the tracker module in Drupal 6.16 core do not have any permissions handler. It only check if the user has access content or not. This patch add a access tracker and a access own tracker setting in the permission page.

In other words, this patch allow you to nicely disable the track tab.

NOTE: I added a special case denied access to user own tracker if the user has access to tracker but not to his own tracker. It seem odd to me to allow a user to see all other user's tracker but not his own, but I guess that's what you expect if u check the access tracker but not access own tracker.

CommentFileSizeAuthor
#45 tracker-permissions-762962-45.patch14.1 KBavpaderno
#43 tracker-permissions-762962-43.patch12.3 KBavpaderno
#39 tracker-permissions-762962-39.patch11.67 KBavpaderno
#37 tracker-permissions-762962-37.patch10.97 KBavpaderno
#35 tracker-permissions-762962-35.patch10.96 KBavpaderno
#30 tracker-permissions-762962-30.patch10.23 KBavpaderno
#26 tracker-permissions-762962-26.patch10.07 KBavpaderno
#22 tracker-permissions-762962-22.patch1.4 KBavpaderno
#2 D6-tracker-permission.patch1.02 KBgaellafond

Comments

gaellafond’s picture

gaellafond commented

Thanks to Bluetegu for the idea.
If you are using Drupal 5, you should use his patch: http://drupal.org/node/510802

gaellafond’s picture

gaellafond commented
StatusFileSize
new D6-tracker-permission.patch1.02 KB

For some reason, the patch has been uploaded successfully on my first post, but it's not visible...

For those who are new with drupal, the permissions page can be access from the admin menu:
Administer > User management > Permissions

Z2222’s picture

Z2222 commented
Priority: Minor » Normal

Thanks, the patch worked for me.

I would call this an important issue. Users on some kinds of sites will consider it creepy to have a link called "track" on their user profile, but completely disabling the tracker module removes other functionality.

jumoke’s picture

jumoke commented

gaellafond!! This patch helped me. Thanks :)

locomo’s picture

locomo commented

susbscribe

fehin’s picture

fehin commented

subscribing

bryancasler’s picture

bryancasler commented

Lets get this committed, I'm not sure why this issue wasn't addressed sooner.

Anonymous’s picture

Anonymous (not verified) commented

I am not sure such changes are still made for Drupal 6; probably the patch should be made for Drupal 7, and then back ported to Drupal 6.

avolve’s picture

avolve commented

this patch fails (for Drupal 6.19)

Hunk #1 succeeded at 66 (offset 7 lines).
Hunk #2 FAILED at 82.
gaellafond’s picture

gaellafond commented

The module has probably been update since I created the patch. I will revise it latter.

Drake’s picture

Drake commented

Did you find a solution?
Or is it other solution to disable the tracker tab in user profile?

izmeez’s picture

izmeez commented

subscribing

gaellafond’s picture

gaellafond commented

@Drake No, unfortunately, as far as I know, there is no other solution. That's why I made this patch.

@avolve If you fail to apply the patch, maybe you can have a look at it to see why it's not working. It's a very simple patch that add a few lines of code to the file tracker.module. I will try to invest some time on it this week-end, but I can't promise anything. Btw, what is your Drupal's version? I suppose it can't be apply on D7 since it's implementation is quite different.

gaellafond’s picture

gaellafond commented

@avolve I test the patch and it's working. Maybe it is not working as you expect.

1. I install a fresh install of the last version of Drupal 6 (version 6.19).
2. I set the permission to allow everyone to see user profiles and allow the authenticate user to create content.
3. I activated the tracker module.
4. I create a simple user and I insert 2 contents.
5. I log out and I was able to see the tracker with the anonymous user.
6. I download the patch in the module folder of the drupal installation (not the tracker module folder).
7. I apply the patch by running the command patch -p0 < D6-tracker-permission_0.patch. The patch apply flawlessly.
8. I went to the permission and I activate the permission to allow user to see there own tracker.
9. I log out and now anonymous users can not see the tracker.

I look at some other patches and the need to be copied in the module folder. I'm not sure if this is correct or not. Personally, I thing it's more obvious to copy it to the tracker module folder. If you want, I can modify the patch file to allow it to apply directly from the tracker module folder.

Btw, what command did you use to apply the patch?

I hope that's help.

jdelgama’s picture

jdelgama commented

Follow step by step your instructions, patch applied ok, permissions assigned only to one role but annonymous users still see the "track" tab on pages :-(
Any ideas? Maybe my Drupal/PHP version? Any configuration I've left?
Working on Drupal 6.19 + MySQL 5.0.77 + PHP 5.1.6

gaellafond’s picture

gaellafond commented

@jdelgama Our anonymous users are not allow to see the users' profile. I didn't know it would cause an issue. I will correct that as soon as I can.

Thanks for your feedback.

arsunyiu’s picture

arsunyiu commented

subscribing

mdupont’s picture

mdupont
Primary language French
Location Switzerland
commented
Version: 6.16 » 8.x-dev

Feature request have to go against D8 then backported to other versions.

izmeez’s picture

izmeez commented

I second the thought in comment #3 that the name "tracker" can be unnerving for users and those new to Drupal so I wonder if it would be worthwhile to start a new issue feature request to rename to "activity" or something else more benign?

bryancasler’s picture

bryancasler commented

izmeez: I had the same thought, if you start that new issue que post a link here so we can follow along.

izmeez’s picture

izmeez commented

I have opened a separate issue on the naming question, Change "Track page visits" to "Page visits"

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Status: Active » Needs review
StatusFileSize
new tracker-permissions-762962-22.patch1.4 KB

This is the patch for Drupal 8.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Title: Add 'access tracker' and 'access own tracker' permissions in Drupal 6 » Add 'access tracker' and 'access own tracker' permissions

Status: Needs review » Needs work

The last submitted patch, tracker-permissions-762962-22.patch, failed testing.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Status: Needs work » Needs review
StatusFileSize
new tracker-permissions-762962-26.patch10.07 KB
praddles’s picture

praddles commented

#26: tracker-permissions-762962-26.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, tracker-permissions-762962-26.patch, failed testing.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Status: Needs work » Needs review
StatusFileSize
new tracker-permissions-762962-30.patch10.23 KB

I re-wrote the patch, as the path for the module files changed, since one of the last commits.

yoroy’s picture

yoroy commented
Issue tags: +permissions

Tagging, I see multiple 'add permissions for foo' issues going on.

joachim’s picture

joachim commented
Status: Needs review » Needs work

There are two permissions, but there are really three types of tracker:

- global tracker
- user tracker
- own tracker

What combination of permissions would allow user X to see the global tracker and see their tracker but not user Y's?

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented

I can think of two solutions:

  • "access tracker" is for accessing the global tracker, except for users with the permission to administer other users, for which the permission allows to see the other users' tracker too
  • "access own tracker" is for the users to access their own tracker
  • "access global tracker" is for the global tracker
  • “access other users' tracker" is for the tracker page of other users
  • "access own tracker" is for the users to see their own tracker page
joachim’s picture

joachim commented

I'd say 'access global tracker' / 'access user trackers' / 'access own user tracker' so it has the same pattern as other permissions that have a special case for 'own'.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Title: Add 'access tracker' and 'access own tracker' permissions » Add permissions for the tracker pages
Status: Needs work » Needs review
StatusFileSize
new tracker-permissions-762962-35.patch10.96 KB

Status: Needs review » Needs work

The last submitted patch, tracker-permissions-762962-35.patch, failed testing.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Status: Needs work » Needs review
StatusFileSize
new tracker-permissions-762962-37.patch10.97 KB

OK, now I can try with the real thing. :-)

Status: Needs review » Needs work

The last submitted patch, tracker-permissions-762962-37.patch, failed testing.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Status: Needs work » Needs review
StatusFileSize
new tracker-permissions-762962-39.patch11.67 KB

This patch should fix all the failing tests.

maxheight2’s picture

maxheight2 commented

Is there a patch for D7?

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Issue tags: -permissions

#39: tracker-permissions-762962-39.patch queued for re-testing.

Status: Needs review » Needs work
Issue tags: +permissions

The last submitted patch, tracker-permissions-762962-39.patch, failed testing.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Status: Needs work » Needs review
StatusFileSize
new tracker-permissions-762962-43.patch12.3 KB

I have updated the patch.

Status: Needs review » Needs work

The last submitted patch, tracker-permissions-762962-43.patch, failed testing.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Status: Needs work » Needs review
StatusFileSize
new tracker-permissions-762962-45.patch14.1 KB
aboros’s picture

aboros commented

from what i see the patch in #45 works properly. i can see the introduced permissions and they also work/apply as expected.

BrockBoland’s picture

BrockBoland commented
Issue tags: +Needs issue summary update

Needs issue summary

McGo’s picture

McGo commented
Issue tags: -Needs issue summary update

issue summary added.

McGo’s picture

McGo commented
Issue tags: +Needs issue summary update

Put the tag back again to hope that magic happens regarding http://core.drupalofficehours.org/task/733

BrockBoland’s picture

BrockBoland commented
Issue tags: -Needs issue summary update

For future reference: no, changing the tags here doesn't affect the tool at doh.org

xpresto’s picture

xpresto commented

This patch does not work for me (see dump below). The reason might be my Drupal version - 6.28?
Is there any way to include the fix into next Drupal 6 version?

patch -p0 < tracker-permissions-762962-45.patch
patching file b/core/modules/rdf/lib/Drupal/rdf/Tests/TrackerAttributesTest.php
Hunk #1 FAILED at 41.
1 out of 1 hunk FAILED -- saving rejects to file b/core/modules/rdf/lib/Drupal/rdf/Tests/TrackerAttributesTest.php.rej
patching file b/core/modules/tracker/lib/Drupal/tracker/Tests/TrackerNodeAccessTest.php
Hunk #1 FAILED at 44.
1 out of 1 hunk FAILED -- saving rejects to file b/core/modules/tracker/lib/Drupal/tracker/Tests/TrackerNodeAccessTest.php.rej
patching file b/core/modules/tracker/lib/Drupal/tracker/Tests/TrackerTest.php
Hunk #1 FAILED at 21.
Hunk #2 FAILED at 48.
Hunk #3 FAILED at 60.
Hunk #4 FAILED at 86.
Hunk #5 FAILED at 114.
Hunk #6 FAILED at 132.
Hunk #7 FAILED at 147.
Hunk #8 FAILED at 160.
Hunk #9 FAILED at 175.
Hunk #10 FAILED at 190.
Hunk #11 FAILED at 199.
Hunk #12 FAILED at 213.
Hunk #13 FAILED at 230.
Hunk #14 FAILED at 256.
14 out of 14 hunks FAILED -- saving rejects to file b/core/modules/tracker/lib/Drupal/tracker/Tests/TrackerTest.php.rej
patching file b/core/modules/tracker/tracker.module
Hunk #1 FAILED at 29.
Hunk #2 FAILED at 155.
2 out of 2 hunks FAILED -- saving rejects to file b/core/modules/tracker/tracker.module.rej

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented

You cannot apply a patch for Drupal 8 to Drupal 6.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Issue tags: -permissions

#45: tracker-permissions-762962-45.patch queued for re-testing.

Status: Needs review » Needs work
Issue tags: +permissions

The last submitted patch, tracker-permissions-762962-45.patch, failed testing.

xpresto’s picture

xpresto commented

I'm confused.
Post #14 in this thread:
http://drupal.org/node/762962#comment-3660368
says:
"I install a fresh install of the last version of Drupal 6 (version 6.19)..."
- and I was under impression that the patch is for Drupal 6 and post #15 further confirms this.

Assuming that I misunderstood this - I'm still not sure if the issue is considered as bug and will be fixed in Drupal 6? This is definitely a bug, and this is a security bug. Are you saying that it will not be fixed in Drupal 6? Anybody has repro for Drupal 7?
If the problem is identified and understood, you made actual code fixing it (hm, for Drupal 8 as you say), why not push the fix to Drupal 6 and 7? Can somebody from dev team explain this please?

Thanks for your time.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented

See comment #18: Since that comment, the issue report is for Drupal 8. The patch could be then ported to Drupal 7, but it will not ported to Drupal 6 since there isn't any security issue. On Drupal 6, tracker pages are accessible from who has the permission to access content, not from every user.

neRok’s picture

neRok commented

Marked #1432910: User profile track tab permission needs adding as duplicate.

gynekolog’s picture

gynekolog commented
Status: Needs work » Needs review
Issue tags: -permissions

#45: tracker-permissions-762962-45.patch queued for re-testing.

Status: Needs review » Needs work
Issue tags: +permissions

The last submitted patch, tracker-permissions-762962-45.patch, failed testing.

kpm’s picture

kpm commented

subscribing

kpm’s picture

kpm commented
Issue summary: View changes

add issue summary.

kopeboy’s picture

kopeboy
Primary language Italian
Location Milan
commented

What about Drupal 7??

ecvandenberg’s picture

ecvandenberg commented

This issue is still valid for Drupal 7.41

With the core tracker module enabled, all users with the permission to see user profiles also see other user's tracker data. Even without the permission to access statistics.

The only solution is to disable the tracker module.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Status: Needs work » Postponed

This extension is deprecated and scheduled for removal in Drupal 11.

This is now Postponed. The status is set according to two policies. The Remove a core extension and move it to a contributed project and the Extensions approved for removal policies.

It will be moved to the contributed extension once the Drupal 11 branch is open.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

andypost’s picture

andypost
he/him
Primary language Russian
commented
Project: Drupal core » Activity Tracker
Version: 11.x-dev » 1.0.x-dev
Component: tracker.module » Code
Status: Postponed » Needs work
Related issues: +#2978468: Activity Tracker module does not allow to prevent anonymous users from seeing the users activity., +#2777445: Restrict access to track user page by default in Tracker module
batigolix’s picture

batigolix
Primary language Dutch
Location Utrecht
commented
Status: Needs work » Closed (duplicate)

This is a duplicate of #2978468: Activity Tracker module does not allow to prevent anonymous users from seeing the users activity.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.