In diff_menu_alter() the access callback is changed for the 'view' revision links. This becomes a problem when diff is disabled on a content type.

The diff callback does check 'administer nodes', but that's not enough, normal users should also be able to use this when they have this permission, diff enabled or not. And that still does not solve the problem, because the rendering of the view revision links and the 'view revision' button are both using the same function.

Install Drupal core, diff, workbench, workbench moderation to really enjoy this problem.

CommentFileSizeAuthor
#7 diff-2124343-7-allow-access-to-revisions-without-diff.patch2.9 KBAlan D.
#7 diff-extended-revisions-options.png13.04 KBAlan D.
diff-fix-user-access-view-revisions.patch744 bytesRob C
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Rob C’s picture

Rob C CreditAttribution: Rob C commented

And the root of the problem is in hook_menu(). Where the access callback is changed, so valid users do not have permission when the option is disabled. The patch does not solve this, it's a bigger problem.

Rob C’s picture

Rob C CreditAttribution: Rob C commented
Issue summary: View changes
Status: Needs review » Needs work
Rob C’s picture

Rob C CreditAttribution: Rob C commented
Title: diff_node_revision_access() does not check user_access('view revisions') » user_access('view revisions') is not used for the 'view' link
Matroschker’s picture

Matroschker CreditAttribution: Matroschker commented

Maybe I have the same problem..
Drupal 7.27, Revisioning Dev-version, Diff 7.x-3.2+20-dev

We check this with a user which has the Administrator role (with all permissions).
I have a node which is published, content is --> ABC.
I create a pending version, now the content is --> ABCDEF

In the tab "Revision operations" (from revisioning module) I can see one published revision and on pending revision, for both I can click on the creation date to view the different revisions. But if I click on the pending revision I always see the content --> ABC, but this isn't correct.

If I disable the DIFF module the link to the pending version shows me the content --> ABCDEF.

Is this the issue which is described here in this bug?

Thanks.
Matroschker

Rob C’s picture

Rob C CreditAttribution: Rob C commented

Sounds very similar indeed.

JvE’s picture

JvE CreditAttribution: JvE commented
Issue summary: View changes

I think the 'Enable the Revisions page for this content type' does exactly what it says.
It disables access to revision information for deselected content types.

This was introduced by popular demand way back in #413308: Display revisions by content type.

I do agree that disallowing access to revision information does not belong in the diff module.
I believe this was included because the thought was that diff would move into core soon.

Changing this functionality now would mean that on all sites that depend on this "feature" the revision information becomes available again for content types where it should not be.

Alan D.’s picture

Alan D. CreditAttribution: Alan D. commented
FileSize
diff-extended-revisions-options.png13.04 KB
diff-2124343-7-allow-access-to-revisions-without-diff.patch2.9 KB

Note, this could get complicated with a few modules interacting with this menu item... And #4 sounds like an issue in the other module.

Would a simple configuration option help here? You can turn off diff and use core instead.

Note if you run this patch on an old version, you will skip update diff_update_7307() that grants access to the View changes button. So you will need to manually set those permissions.