Problem/Motivation

When retrieving an entity from JSON:API that is currently versioned in the workspace, access is denied unless the user also has "view all revisions" which should not be necessary, as the node's swapped revision itself is accessible by the same user.

JSON:API does an explicit check on isDefaultRevision() which is causing the issue.

Steps to reproduce

1. Install Drupal
2. Enable workspaces, jsonapi
3. Create and save a page, then edit the page in the default Stage workspace.
3. Login as a user with a role that has access to workspaces, but not "view all revisions", and ensure you can see the change in #3 on node/1
4. Visit /jsonapi/node/page?filter[drupal_internal__nid]=1
5. Verify error: "The current user is not allowed to GET the selected resource. The user does not have access to the requested version."

If you add "view all revisions" to anonymous users, it works, but that should not be necessary given that they can already view the workspace'd revision by visiting node/1.

Proposed resolution

TBD

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Comments

djdevin created an issue. See original summary.

djdevin’s picture

djdevin
he/him
Primary language English
Location Philadelphia
commented
Issue summary: View changes

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.