Problem/Motivation

At the moment the ContentModerationState entity has a rest resource plugin derivative. This derivative is useless because there is also a ContentModerationState access control handler which denies any operation to entities of that type. We essentially don't want anyone interacting those those entities, they should instead change states on the entities being moderated directly.

Proposed resolution

Remove the plugin, we don't need it and it looks confusing in UIs.

Remaining tasks

Commit.

User interface changes

API changes

CM is experimental, safe to remove an API we don't want people using.

Data model changes

Comments

naveenvalecha created an issue. See original summary.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

berdir’s picture

I assume this will be quite different to other tests.

A moderation state is not a standalone thing, it is closely tied to an actual entity that is being moderated. So the tests here will likely be very specific to it, to make sure that changing a moderation state does the thing it needs to to its moderated entity.

Another thing is validation and access logic. Of the moderation state itself, I'm not sure how much support we have for that already (e.g. that only some users can move to published and only some changes are allowed and so on) but also that you can directly change the status of a node anymore. #2068063: Change "Save and keep un-/published" buttons to a "Published" checkbox and an included "Save" button will likely add hook_entity_field_access() to enforce that.

wim leers’s picture

HeyLodyM’s picture

Assigned: Unassigned » HeyLodyM
Issue tags: +drupaldevdays
wim leers’s picture

Thanks, HeyLodyM!

wim leers’s picture

HeyLodyM’s picture

Assigned: HeyLodyM » Unassigned

To accomplish this task, I wanted to test a validated issue but I was stuck on this error:

./vendor/bin/phpunit -c core core/modules/rest/tests/src/Functional/EntityResour
ce/MenuLinkContent/MenuLinkContentJsonBasicAuthTest.php
PHPUnit 4.8.28 by Sebastian Bergmann and contributors.

F...

Time: 2.91 minutes, Memory: 6.00Mb

There was 1 failure:

1) Drupal\Tests\rest\Functional\EntityResource\MenuLinkContent\MenuLinkContentJsonBasicAuthTest::testGet
Failed asserting that Array &0 (
0 => 'canonical'
) is identical to Array &0 (
0 => 'canonical'
1 => 'edit-form'
2 => 'https://drupal.org/link-relations/delete-form'
).

/var/www/DrupalProject/drupal-8.3.x/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php:440

FAILURES!
Tests: 4, Assertions: 163, Failures: 1.

If someone has an idea?

wim leers’s picture

sam152’s picture

wim leers’s picture

I was just coming here to do exactly that! Thanks, @Sam152 :)

wim leers’s picture

wim leers’s picture

Actually, based on what I've just been doing in #2835767: Media + REST: comprehensive test coverage for Media + MediaType entity types, I think a similar approach is warranted here.

  1. In #2779931: Add storage exception that enforces unique content_entity_type_id and content_entity_id on the content moderation state content entity, and add access control handler to forbid all access, we added an access control handler that forbids every operation on content_moderation_state entities, including viewing.
  2. Yet the entity:content_moderation_state derivative REST resource plugin still exists!
  3. This means that when the REST UI module is installed, it's possible to configure a REST resource that exposes Content Moderation State entities:

    … yet it won't work because of point 1.

The solution is simple: we remove the entity:content_moderation_state derivative REST resource plugin — which is exactly what #2835767: Media + REST: comprehensive test coverage for Media + MediaType entity types does for the Media module's entities.

wim leers’s picture

Component: rest.module » content_moderation.module
Assigned: wim leers » Unassigned
Priority: Normal » Major
Status: Active » Needs review
StatusFileSize
new2.43 KB
new1.5 KB

The last submitted patch, 14: 2843753-14.patch, failed testing. View results

Status: Needs review » Needs work

The last submitted patch, 14: 2843753-14-test_only_FAIL.patch, failed testing. View results

wim leers’s picture

Status: Needs work » Needs review
StatusFileSize
new736 bytes
new1.39 KB
new2.43 KB

Small naming problem.

amateescu’s picture

Title: EntityResource: Provide comprehensive test coverage for ContentModerationState entity » Prevent ContentModerationState from being exposed by REST's EntityResource
+++ b/core/modules/content_moderation/tests/src/Functional/ModerationStateResourceTest.php
@@ -0,0 +1,38 @@
+class ModerationStateResourceTest extends BrowserTestBase {

Why is this a Browser test? As far as I see it doesn't interact with any page, so it can simply be a kernel test?

Edit: and there's still a small naming problem: ContentModerationStateResourceTest

wim leers’s picture

StatusFileSize
new1.45 KB
new1.39 KB
new2.43 KB

Edit: and there's still a small naming problem: ContentModerationStateResourceTest

Well spotted! I only noticed it because testbot complained. Already fixed in #18 :)

so it can simply be a kernel test?

Great point, done!

wim leers’s picture

Oh, perhaps you meant that it should be renamed from ModerationStateResourceTest to ContentModerationStateResourceTest? Happy to do that. I named it like that because almost everything else is called ModerationState*Test.php. Perhaps the reasoning is just not clear to me.

Let me know, happy to reroll.

amateescu’s picture

@Wim Leers, I think the name of the test class should be ContentModerationStateResourceTest because it tests the ContentModerationState entity type :)

The last submitted patch, 17: 2843753-15-test_only_FAIL.patch, failed testing. View results

wim leers’s picture

Assigned: Unassigned » wim leers
Status: Needs review » Needs work

Fair!

wim leers’s picture

Assigned: wim leers » Unassigned
Status: Needs work » Needs review
StatusFileSize
new949 bytes
new2.46 KB
amateescu’s picture

Status: Needs review » Reviewed & tested by the community

Looks good to me now :)

larowlan’s picture

+++ b/core/modules/content_moderation/content_moderation.module
@@ -248,3 +248,13 @@ function content_moderation_workflow_insert(WorkflowInterface $entity) {
+  // ContentModerationState is an internal entity type. Therefore it should also
+  // not be exposed via REST.

nit:not sure the word 'also' is needed here (can be fixed on commit)

plach’s picture

Issue tags: +WI critical

@Wim Leers and @xjm suggested to add this as a MUST-HAVE for the Workflow Initiative.

plach’s picture

[removed]

larowlan’s picture

Status: Reviewed & tested by the community » Needs review
Issue tags: +Needs issue summary update

Updating issue credit to add @amateescu who helped shape patch

Can we get an issue summary update as the proposed resolution isn't where the patch ended up.

sam152’s picture

Issue summary: View changes

  • larowlan committed 930a35b on 8.4.x
    Issue #2843753 by Wim Leers, amateescu: Prevent ContentModerationState...
larowlan’s picture

Status: Needs review » Fixed
Issue tags: -Needs issue summary update

Thanks @Sam152 for updating issue summary

Fixed on commit

diff --git a/core/modules/content_moderation/content_moderation.module b/core/modules/content_moderation/content_moderation.module
index 72df8c8..0dc03bf 100644
--- a/core/modules/content_moderation/content_moderation.module
+++ b/core/modules/content_moderation/content_moderation.module
@@ -267,8 +267,8 @@ function content_moderation_workflow_update(WorkflowInterface $entity) {
  * Implements hook_rest_resource_alter().
  */
 function content_moderation_rest_resource_alter(&$definitions) {
-  // ContentModerationState is an internal entity type. Therefore it should also
-  // not be exposed via REST.
+  // ContentModerationState is an internal entity type. Therefore it should not
+  // be exposed via REST.
   // @see \Drupal\content_moderation\ContentModerationStateAccessControlHandler
   unset($definitions['entity:content_moderation_state']);
 }

Committed as 930a35b and pushed to 8.4.x. On with the next WI critical!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.