- 🇩🇪Germany ronino
#2 works for me, thanks!
RickJ wrote:
I don't agree that this patch is necessary. The admin page in question already requires "View revisions" access, which is noted as a trusted permission. This permission in fact covers the "administer" case. Ordinary users should not be able to see other users' revisions for obvious security reasons.
In my opinion, viewing something should never cover administering something. The user module does it right, introducing two permissions to view users ("access user profiles") and administer them ("administer users"). Likewise this module should either use the existing "administer users" permission to restrict access to configuration (like the issue title implies) or introduce its own administer permission (like #2 does).
- Status changed to Postponed
about 2 years ago 2:05pm 4 April 2023 - 🇬🇧United Kingdom rickj
Arguable.
Viewing revisions is not like viewing content, it's implicitly an administrative function in itself. Viewing the revision history of content other than your own is not something a normal user should be doing. So "view any revision" implies administration. Adding another permission just to manage access to the configuration page - with 2 options, 4 if diff is enabled - strikes me as overkill. I can see an argument for using "administer users" as the permission to protect that page though.
Also, would an "administer" permission override view-any, revert-any, and delete-any? It starts to get messy.
The fix in patch #5, which expands the permission descriptions, was rolled into the 7.x-2.x release anyway, which I recommend using.