If a content type is set for nodes to be published by default, newly submitted nodes will be shown to all users, including anonymous users, even if awaiting moderation.

The message saying "this node is awaiting moderation..." will also be shown to all users, which is rather odd.

This is a serious flaw. Moder8 should be able to supersede the Drupal core setting.

Of course you can uncheck the "published by default" option in your content type settings.

However, some users (admins, editors) would like nodes to be published straight away, rather than having to think about clicking the "published" checkbox every time. This is also a source of confusion if you install moder8 on a site that's been running for a while, where content types were set a long time ago. A lot of people would simply trust the module, only to find that moder8 doesn't do the job 3 weeks later.

CommentFileSizeAuthor
#4 559344-modr8-hide_message.patch903 bytesAaronBauman
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mediameriquat’s picture

mediameriquat CreditAttribution: mediameriquat commented
Priority: Critical » Normal

I see that the nodes awaiting moderation are not listed on the default front page, and do not seem to appear in views, etc. -- which is good.

The README says that : "This is NOT an access control module, however, so (as with Drupal 4.7.x), posts that are in moderation can still be viewed if a user knows the path (URL) corresponding to that post."

However, the security concern persists, when there are some previsible pathauto settings, like [dd]/[mm]/[yy].

johngriffin’s picture

johngriffin CreditAttribution: johngriffin commented

I've just released a module which allows selected roles to bypass moderation. It can remove the modr8 checkbox for those roles and can also set nodes to be published by default, allowing you to unset published in the workflow settings.

http://drupal.org/project/modr8_bypass

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Status: Active » Closed (works as designed)

seems to be by design

AaronBauman’s picture

AaronBauman
he/him
CreditAttribution: AaronBauman commented
Title: Nodes awaiting moderation are visible to all users, if content type set to auto-published » "this node is awaiting moderation..." message should only be shown when relevant
Status: Closed (works as designed) » Active
FileSize
559344-modr8-hide_message.patch903 bytes

OK, so modr8 is not an access control issue - that's fine.

But, the message "The post has been submitted for moderation and won't be listed publicly until it has been approved." should only be shown to node author ($user->uid == $node->uid) or an administrator (user_access('administer nodes'))

here's a patch.

AaronBauman’s picture

AaronBauman
he/him
CreditAttribution: AaronBauman commented
Status: Active » Needs review
berenddeboer’s picture

berenddeboer CreditAttribution: berenddeboer commented

Hmm, I think this should be solved such that nodes in moderation are never published right?