Problem/Motivation

When using both a "live"/build server and a preview server,
and the option "Only trigger builds for published content" is EITHER checked or not,
and the user saving the content has permission to see draft content,
and there is related content that has an unpublished default revision (ie, never before published),
the unpublished related content is posted to the live/build server.

For our purposes we are using nodes and storage entities, and content moderation is enabled for both.

Steps to reproduce

Install "storage" module, or use another entity type.
Create a storage type.
Create a content type with an entity reference field to the storage type.
Enable content moderation workflows for both.
Create a storage entity and save it as a draft/unpublished.
Create a node and relate the storage entity to it.
Publish the node, but do not publish the storage entity.
Observe: JSON stored in fastbuild log is based on content editor's permissions, and includes unpublished related storage entities.
When the API user requests the fastbuilds endpoint, that user's permissions are not validated and it is served the stored json, regardless of what it should have access to.

Proposed resolution

I'm not sure what the best resolution is here, in the module itself. I have created a workaround for it, by using a RouteSubscriber to override the GatsbyFastbuildsController, and I have attached that override here. You can see I'm re-adding the json when the API user requests the data, so that user's permissions are taken into account.

CommentFileSizeAuthor
#5 3347297-5.patch18.75 KBapmsooner
GatsbyFastbuildsOverride.txt2.42 KBlisagodare

Issue fork gatsby-3347297

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

lisagodare@gmail.com created an issue. See original summary.

mmafe’s picture

mmafe commented

We are also experiencing this issue.

In our case, we're not using storage entities. We are using content moderation with node entities.
Randomly, pages that are unpublished are leaking onto the live/build server.

Hoping there's going to be a resolution quickly for this one as our users can no longer rely on an "unpublished" page being unpublished.

apmsooner made their first commit to this issue’s fork.

apmsooner opened merge request !66

apmsooner’s picture

apmsooner commented
Status: Active » Needs review
StatusFileSize
new 3347297-5.patch18.75 KB

I don't know if this solves your exact issue or not and it's difficult to test locally without having a separate preview/build server but this patch syncs up the logging service with the hooks, factors in the build_published option to early return for non-node entities when its true, and accounts for entities like "redirects" that don't have a publish state to also be triggered. It "should" resolve draft versions getting on build server. @lisagodare, your description involving referenced entities also in a moderated state may be a more unique issue and seemingly to me a case where those references might be better served as entity_reference_revisions if you're still having issues beyond this patch.

apmsooner’s picture

apmsooner commented

Noting here also... per Shane & Tyler at Gatsby, the version 2 of the module depends on fast_builds being enabled and thus it never sends json to the gatsby site like version 1 did. It just creates the log entity and triggers the gatsby site to make a request to the api endpoint to retrieve the data. So i've removed the json variables from the functions and the json logging setting should really just go away as its irrelevant since the data exists in the logging entity itself. One other important note, the "Only trigger builds for published content" is confusing as it really restricts updates to just nodes. The caveat of having this setting enabled means things not referenced to the node in an "entity reference" way like path aliases and redirects don't get triggered as part of node updates. I personally recommend disabling that setting.

shrop’s picture

shrop commented

Thanks for the updates @apmsooner. We will test this as a next step.

For the "Only trigger builds for published content" not being set, what would be a process to ensure live content isn't published or is it covered via Fastbuilds publish/preview payloads?

slydevil’s picture

slydevil commented
Status: Needs review » Reviewed & tested by the community

Patch works great!

lisagodare’s picture

lisagodare
she/they
commented

This patch appears to work great for our needs.

We don't want to use Entity Reference Revisions fields, because we don't want to associate a specific revision of a related entity on the relating entity. This is because multiple different entities may relate to it, and we don't want them each showing a different revision. They should all show the same revision - either the default revision, if published, on the 'live' build; or the latest revision, published or not, on the 'preview' build.

  • apmsooner committed 9ffa6b47 on 2.0.x 
    Issue #3347297 by apmsooner, lisagodare@gmail.com, slydevil, shrop:...
apmsooner’s picture

apmsooner commented
Status: Reviewed & tested by the community » Fixed

Merging to dev.

apmsooner’s picture

apmsooner commented
Status: Fixed » Closed (fixed)