From #4:

My use case is this: I want to have people 1) create an account (user role: authenticated) and 2) create a profile (in this case, a node). After a review of their node, their user account gets promoted to one of several other roles, and those elevated roles have permission to "view published content" - but the authenticated user should not have this permission.

From my testing, this is impossible to do without an access control module since access to the node/add page (or any specific node/add/X page) is also controlled by the "view published content" permission.

CommentFileSizeAuthor
#25 1368610-25.patch913 byteseffulgentsia
#24 1368610-24.patch825 byteseffulgentsia
#12 core-fix_overly_restrictive_check_on_all_node_ops-1368610-11.patch608 byteskq_sb
#5 core-fix_overly_restrictive_check_on_all_node_ops-1368610-5.patch552 bytesjenlampton
#5 core-fix_overly_restrictive_check_on_all_node_ops-1368610-5-do-not-test.patch492 bytesjenlampton
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

kmajzlik’s picture

kmajzlik CreditAttribution: kmajzlik commented

(i am using Domain module can that be problem?)

kmajzlik’s picture

kmajzlik CreditAttribution: kmajzlik commented
Project: Content Access » Drupal core
Version: 7.x-1.x-dev » 7.10
Component: Code » node system

Hm i made some research.
- All access modules are out.
- User has ONLY permission to create Page content type.
- User has "Access denied" on /node/add/page

Any logic reason for that?

kmajzlik’s picture

kmajzlik CreditAttribution: kmajzlik commented
Category: bug » support
Priority: Major » Minor
Status: Active » Closed (works as designed)

Sorry my fault. Now clean install, Content Access, Domain and everything works well.
Solution: /admin/structure/types/[TYPE]/access - expand Advanced. Give content node grants priority to 10. Flush all caches, rebuild content permissions.

jenlampton’s picture

jenlampton
she / her
CreditAttribution: jenlampton commented
Title: Why "access content" affects "create node"? » Users must have permission to "view published content" in order to create a node of any type.
Version: 7.10 » 7.19
Category: support » bug
Priority: Minor » Normal
Status: Closed (works as designed) » Active

I think this may actually be a bug - perhaps it is by design, but if so I'd like someone to confirm that :)

My use case is this: I want to have people 1) create an account (user role: authenticated) and 2) create a profile (in this case, a node). After a review of their node, their user account gets promoted to one of several other roles, and those elevated roles have permission to "view published content" - but the authenticated user should not have this permission.

From my testing, this is impossible to do without an access control module since access to the node/add page (or any specific node/add/X page) is also controlled by the "view published content" permission.

Is this a mistake?

jenlampton’s picture

jenlampton
she / her
CreditAttribution: jenlampton commented
Version: 7.19 » 8.x-dev
Status: Active » Needs review
Issue tags: +Needs backport to D7
FileSize
core-fix_overly_restrictive_check_on_all_node_ops-1368610-5-do-not-test.patch492 bytes
core-fix_overly_restrictive_check_on_all_node_ops-1368610-5.patch552 bytes

Okay, I think I found the problem.

There is a check in node_access for 'access content' without checking the $op, and it will always return false, even affecting node/add and node/add/X

Patches for 8.x and 7.x attached.

Status: Needs review » Needs work

The last submitted patch, core-fix_overly_restrictive_check_on_all_node_ops-1368610-5.patch, failed testing.

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost commented
Issue tags: +Needs tests

This has overlap with #1818556: Convert nodes to the new Entity Field API
Anyway we needs fix tests and add new one

jenlampton’s picture

jenlampton
she / her
CreditAttribution: jenlampton commented
Status: Needs work » Needs review
Issue tags: -Needs tests

Patches still apply cleanly, and locally the same tests are not failing for me, so re-queueing for more accurate test results.

jenlampton’s picture

jenlampton
she / her
CreditAttribution: jenlampton commented
Issue tags: +Needs tests

Whoops, lost important tag.

jenlampton’s picture

jenlampton
she / her
CreditAttribution: jenlampton commented
Issue tags: -Needs tests, -Needs backport to D7

#5: core-fix_overly_restrictive_check_on_all_node_ops-1368610-5.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, core-fix_overly_restrictive_check_on_all_node_ops-1368610-5.patch, failed testing.

kq_sb’s picture

kq_sb CreditAttribution: kq_sb commented
Issue summary: View changes
FileSize
core-fix_overly_restrictive_check_on_all_node_ops-1368610-11.patch608 bytes

Does this patch work better? It tests explicitly against the 'create $cid access' permission where there no $nid (which I understand means it checks against the content type instead).

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

schifazl’s picture

schifazl CreditAttribution: schifazl commented

I don't use Drupal 8 yet, but I can confirm that for Drupal 7.50 the patch #5 works flawlessly. Thanks!

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

designdit’s picture

designdit CreditAttribution: designdit commented

Hello,

I'm using 8.7.5 and this still appears to be an issue. Does anyone have a patch for this version? The current code appears to be very different from the time the original 8.x patch was created so it can't be applied.

Thanks

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

effulgentsia’s picture

effulgentsia CreditAttribution: effulgentsia at Acquia commented
Title: Users must have permission to "view published content" in order to create a node of any type. » It is confusing why users must have permission to "view published content" in order to create a node
Version: 8.9.x-dev » 9.2.x-dev
Issue summary: View changes

The original use-case of this issue got resolved with the Content Access module per #3.

Updating the issue summary to reflect the use-case in #4.

effulgentsia’s picture

effulgentsia CreditAttribution: effulgentsia at Acquia commented
Status: Needs work » Needs review
FileSize
1368610-24.patch825 bytes

Here's a port of #5 to Drupal 9 (works on Drupal 8 too).

Note, however, that I don't necessarily recommend using this patch on real sites. It has not been properly reviewed, and there might be parts of Drupal core or various contrib modules that rely on the current behavior of "view published content" controlling more than it says it does. I agree that the mismatch between the name of the permission and its current behavior is confusing though, so I'm glad that this issue is open for people to review.

effulgentsia’s picture

effulgentsia CreditAttribution: effulgentsia at Acquia commented
Title: It is confusing why users must have permission to "view published content" in order to create a node » It is confusing why creating a node requires users to have permission to "view published content"
FileSize
1368610-25.patch913 bytes

Sorry, the patch in #24 is incorrect. This patch is better, though the same warning about using it prior to it being properly reviewed applies.

The last submitted patch, 24: 1368610-24.patch, failed testing. View results

Status: Needs review » Needs work

The last submitted patch, 25: 1368610-25.patch, failed testing. View results

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.