My understanding is that if the user doesn't have edit history permission, the user should only ever see the most recent revision in the news feed (because it counts as the current version that they can see anyway when viewing the page). However, it looks like the news URL points to the edit history variant instead of the page itself, and the permissions for the edit history variant are too strict in this case.
The fix for this is two-fold:
- Don't throw a permission error if we attempt to view the current revision via do=history, and if the user has permission to view the page. It redirects to a URL we have permission to view!
- Use the page URL instead for the news entry, if the news entry is about the most recent edit.
Marked this as fixed in the next release.
In
src/addons/vw/vw/_core/controller/ui/page/vw.php, add the following method to the class:
Code:
public function has_permission($action = '', $do_error = true)
{
if ($action == 'history')
{
$input = vw_Hard_Core::controller('Input');
$haction = $input->clean_gpc('r', 'action', 'STR');
if ($haction == 'view')
{
$type = $input->clean_gpc('r', 'type', 'STR');
if (!$type)
{
$type = 'Page';
}
$obj = vw_Hard_Core::controller('UI/History')->create($this, $type, $haction);
$node = $obj->get_node();
$oldid = $input->clean_gpc('r', 'oldid', 'UINT');
if (!empty($this->item[$node['idfield']]) AND $this->item[$node['idfield']] == $oldid)
{
// this redirects to the main tab anyway
$action = 'main';
}
}
}
return parent::has_permission($action, $do_error);
}