Let node reference work with 'view unpublished' permission (module)

Subscribing.

I have a list of grant awardees that references the original grant they applied for. Periodically, these grants are "unpublished" when they are no longer offered. When that happens, I cannot publish a list of awardees sorted by grant (since anon users don't have access to unpublished grant nodes). So even though I don't need them to see the actual unpublished award pages, I think it is reasonable for them to see the name of the grant. Hope this makes sense.

Subscribe.

This is a feature, isn't it? But seems if an error must be somewhere here as it did not work for me since updating to this release.
node_reference.module line 251:

      // Take the 'view own unpublished content' permission into account to
      // decide whether unpublished nodes should be hidden.
      if (!user_access('administer nodes') && !user_access('bypass node access')) {
        if (user_access('view own unpublished content') && $own_unpublished = db_query('SELECT nid FROM {node} WHERE uid = :uid AND status = :status', array(':uid' => $GLOBALS['user']->uid, ':status' => NODE_NOT_PUBLISHED))->fetchCol()) {
          // (n.nid IN (nodes) AND n.status = 1) OR n.nid = (unpublished)
          $condition = db_or()
            ->condition($condition)
            ->condition('n.nid', $own_unpublished, 'IN');
        }
      }

dpmicha: I think your issue may be better described in #1354580: Unpublished nodes are not displayed which is concerned with the core view own unpublished content permission.

The View unpublished module provides permissions view any unpublished content and view any unpublished [content-type] content. I am also interested in having these integrated with the references module...

Added as part of the fix for #1354580: Unpublished nodes are not displayed. Will be in 7.x-2.1.

Thanks yched, it's great to have the view any unpublished content permission in! :-)

What's still missing, are the more granular permissions for each content type, e.g. view any unpublished [content-type]. I'll write a patch when I find the time.

Modules such as view unpublished and Workbench Moderation could in principle implement the query_node_access_alter hook in order to deal with this issue. However those hook implementations might be very tricky to write, and would be an overhead on every node query.

It would arguably be better if there were a core node_access type call to which you could pass an array of node IDs.

In the absence of such solutions I suggest that the node_reference module be patched to call node_load and node_access per id to be checked. In most cases this will only be for a small number of nodes per page which will be fully fetched anyway during the page display cycle. (Alternatively, this module could implement some hook of its own to make it easier to solve the problem on a case by case basis.)

Patch to use node_access calls attached.

Updated alfaguru's patch to use node_load_multiple/formatting. This patch applies against 7.x-2.x

We have the 7.x-2.1 version and users with only "view own unpublished content" (core) cannot reference unpublished nodes and they don't view referenced nodes via the views module (we use the reversed relationship).

We use the "view_unpublished" module at the same time.

Users with the permission "view any unpublished [CONTENTTYPE] content" have no problems, everything works fine for them.

Does is mean I have to use the -dev version to be able to access referenced content only with the "view own unpublished content" (core) permission? Or possible -dev version with the #8 patch?

I thought that it has been fixed for core permissions (#4 comment) but now I am confused. Thank you in advance for help.

my-family, The problem I'm running into is a user has access to read unpublished nodes of type X but they do not have the ability to read all unpublished nodes. When that user tries to reference an unpublished node of type X that someone else has created, the node will show up as not having access.

In the 2.1 release the logic in node_reference_field_prepare_view first checks if the user does not have access to "view any unpublished content". In my case the user does not have that permission so it immediately adds a condition of "n.status = 1" which requires the node to be published for my user to be able to see it.

Both -dev and 2.1 have this n.status condition check.

While this module implementing its own queries is most likely faster than having full node_load() and node_access() checks its duplicating logic that Drupal has already created, doesn't allow other modules to modify the permissions and it introduces errors into how the user assumes the permissions for nodes would work (when referenced.)

I'm adding a quick patch for anybody using 2.1 (not -dev) and just wants to clean apply a patch. If you want the patch for -dev please see #8.

Unfortunately, the patch #11 did not help in my situation.
Users still cannot reference unpublished content in the node form (they don't see unpublished nodes in autocomplete widget) and they don't see referenced unpublished content in views.

I still need the "view ANY unpublished [CONTENTTYPE] content" permissions for users to allow them what they are supposed to do.

Anyway, @Andrew M Riley, thank you for your help, maybe my relationships are too complex.

UPDATE: the patch #11 helped me though in one situation:

surprisingly, users were not able to see simple unpublished nodereference in views (without reversed relationship), EVEN with the "view ANY unpublished [CONTENTTYPE] content" permission.

With the patch they can. Thank you once more, i will keep testing.

Is there any progress in this issue? I still need the "View any unpublished content" permission, which is not appropriate for my particular situation. Thank you in advance for any help.

Updated node visibility check patch to be used with 2.2