_node_revision_access() in node.module is used to check whether or not someone should have access to delete, revert or view a revision.
I found this issue when trying to troubleshoot #2028303: Delete revisions link appears when user does not have delete revisions permission.
There are permissions that are installed in D7 for each of these tasks:
- View content revisions
- Revert content revisions
- Delete content revisions
However the Administer Content role is given god status over all of these in _node_revision_access().
The main issue here is that the Administer Content permission is providing more access than expected.
I'd propose that this could be fixed in one of two ways:
- Remove the code :from node.module and let the specific revision permissions do their thing.
<?php
elseif (user_access('administer nodes', $account)) {
$access[$cid] = TRUE;
}?> - Add additional help text to either the Administer Content permission or to the Revisions permissions. Perhaps it could say "This will have no affect if a role also has the Administer Content permission."
The second option is probably more plausible. Thoughts?