Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Nodes with Log Messages are always displayed with the log message to all users. This is a result of the removal of moderation from core ( http://drupal.org/node/72343 ).
Patch simply removes the problematic code.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | logpatch_0.txt | 642 bytes | webernet |
| logpatch.txt | 677 bytes | webernet |
Comments
Comment #1
webernet commentedTo clarify:
When moderation was removed, a clause in the if statement was also removed - thus making it always return true (except in a teaser).
This means that any log message will be displayed to anyone reading the node. (A possible security concern.)
Code seems to have only been used for moderation - thus it should be safe to remove it.
Comment #2
chx commentedwould a #access be a better idea? Or just remove it?
Comment #3
webernet commentedIf you feel the user_access() route is the way to go, then here's a patch that checks for the 'view revisions' permission before displaying the log message.
Also bumping to critical due to private log information being disclosed.
Comment #4
flk commentedlol had problem reproducing this problem (newb :P) but finally found it...the problem only occurs with book pages (i think they are the only one's that have log messages...).
anyways i tested patch from comment #3 which i can confirm resolves the problem by making sure the user viewing the book-page has 'view revisions' permission.
Comment #5
webernet commentedAs of 5.0, only book pages allow users to add log messages. Previously, in 4.7 you could also add them to "page" nodes, but this functionality was removed/forgotten in the pre-CCK patch.
Log messages are also added automatically when you revert to a previous revision of any node.
Comment #6
dries commentedCommitted to CVS HEAD. Thanks webernet! :)
Comment #7
(not verified) commented