diff --git a/core/modules/moderation/src/Access/DraftAccess.php b/core/modules/moderation/src/Access/DraftAccess.php index 9f97c84..13bd137 100644 --- a/core/modules/moderation/src/Access/DraftAccess.php +++ b/core/modules/moderation/src/Access/DraftAccess.php @@ -47,8 +47,9 @@ public function __construct(EntityManagerInterface $entity_manager) { * {@inheritdoc} */ public function access(Route $route, AccountInterface $account, NodeInterface $node = NULL) { - // @todo needs to check node access as well. - return AccessResult::allowedIf(moderation_node_has_draft($node)); + // Check that the user has the ability to update the node, and that the node + // has a draft. + return AccessResult::allowedIf($node->access('update', $account) && moderation_node_has_draft($node)); } } diff --git a/core/modules/moderation/src/Tests/ModerationNodeTest.php b/core/modules/moderation/src/Tests/ModerationNodeTest.php index cd0799c..aee316d 100644 --- a/core/modules/moderation/src/Tests/ModerationNodeTest.php +++ b/core/modules/moderation/src/Tests/ModerationNodeTest.php @@ -151,6 +151,22 @@ function testBasicForwarRevisions() { // Edit the node. $this->drupalGet('node/' . $node->id() . '/edit'); $this->assertButtons([t('Save as draft')], FALSE, t('Save as draft')); + $edit = [ + 'title[0][value]' => 'Draft one title', + 'body[0][value]' => 'Draft one body', + ]; + $this->drupalPostForm('node/' . $node->id() . '/edit', $edit, t('Save as draft')); + $this->assertLink(t('Draft')); + + // User with view, but not update, permissions, should not see the draft + // tab. + $this->drupalLogout(); + $this->drupalGet('node/' . $node->id()); + $this->assertNoLink(t('Draft'), 'The draft tab does not appear for users without update access.'); + + // And should not be able to access it directly either. + $this->drupalGet('node/' . $node->id() . '/draft'); + $this->assertResponse(403, 'Access is denied for the draft page for users without update access.'); } }