Any user with "View revisions" can revert or delete revisions [#2231737]

In the "og_moderation_node_revision_access()" a call to _node_revision_access() always passes the 'view' $op instead of the $op that is passed to the function. That means that any user with the ability to 'view' revisions will also be able to delete or revert them.

function og_moderation_node_revision_access($node, $op = 'view') {
  if ($gids = og_get_entity_groups('node', $node)) {
    foreach ($gids as $gid => $value) {
      if (og_user_access($gid, "access revisions options of " . $node->type . " content")) {
        return TRUE;
      }
    }
  }
  return _node_revision_access($node, $op = 'view');
}

The following patch fixes this by just passing the $op variable:

  return _node_revision_access($node, $op);

Comment	File	Size	Author
#1	any-user-with-view-revision-can-revert-delete-2231737-1.patch	409 bytes	acouch

Comments

Comment #1

acouch commented 2 April 2014 at 18:36

Status:

Active

» Needs review

Status	File	Size
new	any-user-with-view-revision-can-revert-delete-2231737-1.patch	409 bytes

Comment #2

shenzhuxi commented 3 April 2014 at 09:37

Assigned:	Unassigned	» shenzhuxi
Status:	Needs review	» Fixed

Committed.
Thanks.

Comment #3

17 April 2014 at 09:41

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Any user with "View revisions" can revert or delete revisions

Comments

Comment #1

Comment #2

Comment #3

Referenced by

News items

Our community

Documentation

Drupal code base

Governance of community