My problem is that all users can see my nodes even if I didn't publish them. I have the Content Access extension installed, and the normal content access control by content type works, but if I take a link of an unpublished node (with the content type allowed to anonymous users) and I paste it in an other browser without any login, the page is accessible. If I disable the Content Access extension the problem disappear, so I think that the problem has to be relative to this extension... I've checked all permissions... I've checked all permissions of every content type, but problem isn't about the configuration of a particular content type, because this problem exists with more types (I didn't checked with all content types, but with more than one). I checked the users permissions. I don't have any active permission about bypass the control access or show unpublished nodes... So I don't know where the problem may be.
Can someone help me, please? Thanks

Files: 
CommentFileSizeAuthor
#22 content_access-fix_unpublished_nodes-1147526-22.patch432 bytesAkaoni
PASSED: [[SimpleTest]]: [MySQL] 32,732 pass(es).
[ View ]
#20 content_access-fix_unpublished_nodes-1147526-20.patch430 bytesAkaoni
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch content_access-fix_unpublished_nodes-1147526-20.patch.
[ View ]
#17 content_access-fix_unpublished_nodes-1147526-17.patch429 bytesAkaoni
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch content_access-fix_unpublished_nodes-1147526-17.patch.
[ View ]

Comments

good_man’s picture

So you want anon. to see only published content not the unpublished ones? btw, how can anon. users get the link of unpublished content?

tmm360’s picture

They can't, but this isn't the point. Users that aren't allowed to access to unpublished documents mustn't access to unpublished documents, even if they have the link...

tmm360’s picture

Isn't this a bug? Is it normal?

Akaoni’s picture

Category:support» bug

It is a bug as unpublished content in Drupal 7 isn't available to anonymous users.
When Content Access is enabled this content becomes available to all and there's no way to fix it.

I'd be keen to see this fixed.

Akaoni’s picture

Title:My site with Drupal shows my unpublished nodes to all, also to anonymous users» Unpublished nodes displayed anonymous users

Shortened title.

Akaoni’s picture

Title:Unpublished nodes displayed anonymous users» Unpublished nodes displayed to anonymous users

Missed the "to". Oops. ;)

enrikito’s picture

subscribing.

this is a security issue

trevorwh’s picture

I'll be looking into this issue in the next week and seeing if i can come up with a patch for it...in the meantime if anyone has any suggestions on where to look please let me know :)

FiNeX’s picture

subscribing

Akaoni’s picture

Had a quick look into this and I'd say the best mechanism is to not apply any Content Access grants to unpublished nodes.
These nodes will then default to the standard Drupal 7 behavior:
http://drupal.org/node/1106606

Code update for content_access.module:

/**
* Implements hook_node_access_records().
*/
function content_access_node_access_records($node) {
  if (content_access_disabling() || !$node->status) {
    return;
  }

...

Akaoni’s picture

Status:Active» Needs review
Issue tags:+Needs tests
danielb’s picture

People like being able to control node access on pre-published nodes, for example; to give a particular user the ability to edit and review the content before it is published.

Crusher’s picture

@Akaoni: thx a lot! Works fine for me.

Access is denied until i publish the node or by enabling the following permissions:
- View own unpublished content
- [Content-Typ] Edit own content
- optional: Administer content (publishing option)

Administrators have of cource full access whole time.

I compared the behavior with D6 and CA. I see no difference right now.

Try to save an existing, unpublished node. Changes schould take affect and unpublished nodes are protected.

Akaoni’s picture

@danielb: Totally agree. This is more of an additional feature of Content Access, though. I think we need to focus on getting the bug fixed in the short term.

@Crusher: Glad it worked. ;)

mithman’s picture

I tested the fix and it doesn't seem to be working as I would expect. The additional condition blocks anonymous as well as anyone else without special administrative privilege from viewing the entry.

Akaoni’s picture

@mithman: Yep, this is the default Drupal 7 behaviour:
http://drupal.org/node/1106606

You can enable 'View own unpublished content' or 'Bypass content access control' (use extreme caution) for different roles, but anything more granular would need to be a new Content Access feature.

Akaoni’s picture

StatusFileSize
new429 bytes
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch content_access-fix_unpublished_nodes-1147526-17.patch.
[ View ]

Created a patch.

Status:Needs review» Needs work

The last submitted patch, content_access-fix_unpublished_nodes-1147526-17.patch, failed testing.

Akaoni’s picture

Status:Needs work» Needs review

Woah. OK, didn't expect it would get picked up by the Automated Tester.
Thoughts anyone?

Akaoni’s picture

StatusFileSize
new430 bytes
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch content_access-fix_unpublished_nodes-1147526-20.patch.
[ View ]

Missing LF at end of patch file?

Status:Needs review» Needs work

The last submitted patch, content_access-fix_unpublished_nodes-1147526-20.patch, failed testing.

Akaoni’s picture

Status:Needs work» Needs review
StatusFileSize
new432 bytes
PASSED: [[SimpleTest]]: [MySQL] 32,732 pass(es).
[ View ]

Last try, then I give up.

BenK’s picture

Hmmm.... I agree that we should get something working here ASAP. And since the access control of unpublished nodes were not part of the D6 version of Content Access, extending Content Access to cover that in D7 is probably something for later. A good feature request, though.

That being said, I'm not sure if the patch in #22 is the best place in the code to disable the effect of Content Access on unpublished nodes. We should ask fago, perhaps, about how to handle this. Let me see if I can reach him.

--Ben

good_man’s picture

BenK, I think the patch in #22 is a quick fix for that, although Content Access should preserve the core access controls if you didn't override it.

I'm with committing this patch now.

BenK’s picture

Status:Needs review» Reviewed & tested by the community

I did some more thinking about this and also tested the patch.

I think the way forward is to limit Content Access to only work on published nodes (just as this patch has done). There are already other modules such as view_unpublished (http://drupal.org/project/view_unpublished) that provide access control exclusively for unpublished nodes. So I don't think we actually need to duplicate that functionality in Content Access. It should be no problem to use Content Access and view_unpublished together.

So anyway, I've tested the patch and it's working perfectly for me. Plus, it's a very simple patch. So I'm marking this as RTBC.

@good_man: Can you commit the patch ASAP?

Thanks,
Ben

good_man’s picture

Status:Reviewed & tested by the community» Fixed

Thanks BenK, and I agree with you, let the unpublished access control thing away for now, and maybe in future we can add it as a feature.

Committed the patch, thanks all for the work and excuse my late reply.

Akaoni’s picture

Thanks for testing and committing, folks!!

fago’s picture

Sounds good. Is that still reflected in the UI/docs like it was in d6?

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

MrHaroldA’s picture

A small question about the fix for this issue: it seems that the 'View own unpublished content' permission is ignored by only looking at the status of a node?

Or is there some other support for viewing own unpublished content in content_access?

good_man’s picture

@MrHaroldA: yes status of node indicates whether the node is published or not. Read the issue to see alternatives as there are other modules to deal with unpublished nodes access.

MrHaroldA’s picture

@good_man, can you give me some pointers on those modules? I've looked into 'view_unpublished' but that module has no user context, only roles. (view all unpublished -vs- view own unpublished, which I need)

'Public Preview' only handles nodeapi/view, which is handled by D7 core now. I need to set realms/grants since that's the only thing apachesolr_access checks on.