When we implemented #513078: Flexible revision permissions. we were too fast: we forgot that before that patch "view revisions" access check did go to Module Grants where Module Grants itself was checking both "view revisions" permission and basic "view" access to the node (line 428).
OTOH, patch in #513078: Flexible revision permissions. returns access skipping "view" access to the node judging purely if user has "view revision of own content" permission.
So it is possible situation, where user doesn't have access to the node but he can view it's revisions (if he knows right URL). Granted that this situation is not very common (since it's own content of a user), but possible, I think this issue is quite important.
Change is the following (sorry no time for patch but its simple):
In function _revision_tasks_menu_access_callback() change the line

if ($node->uid == $user->uid && user_access('view revisions of own content')) {

to 

if ($node->uid == $user->uid && user_access('view revisions of own content') && module_grants_node_access('view', $node)) {

Comments

rdeboer’s picture

rdeboer
Location Melbourne
commented

Thanks crea,
Will incorporate.
Rik

rdeboer’s picture

rdeboer
Location Melbourne
commented
Assigned: Unassigned » rdeboer
Status: Active » Fixed

Dev snapshots 15-Nov-09 or later.

pumpkinkid’s picture

pumpkinkid commented

Could this be extended further and make sure that the user doesn't just have view, but also to edit a node? I'm just assuming, but would this cover it?

&& module_grants_node_access('edit', $node))

rdeboer’s picture

rdeboer
Location Melbourne
commented

This particular bit is about the permissions to "view", so testing for "edit" (update) would be inappropriate.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.