Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
From #4:
My use case is this: I want to have people 1) create an account (user role: authenticated) and 2) create a profile (in this case, a node). After a review of their node, their user account gets promoted to one of several other roles, and those elevated roles have permission to "view published content" - but the authenticated user should not have this permission.
From my testing, this is impossible to do without an access control module since access to the node/add page (or any specific node/add/X page) is also controlled by the "view published content" permission.
Comment | File | Size | Author |
---|---|---|---|
#25 | 1368610-25.patch | 913 bytes | effulgentsia |
#24 | 1368610-24.patch | 825 bytes | effulgentsia |
#12 | core-fix_overly_restrictive_check_on_all_node_ops-1368610-11.patch | 608 bytes | kq_sb |
#5 | core-fix_overly_restrictive_check_on_all_node_ops-1368610-5.patch | 552 bytes | jenlampton |
#5 | core-fix_overly_restrictive_check_on_all_node_ops-1368610-5-do-not-test.patch | 492 bytes | jenlampton |
Comments
Comment #1
kmajzlik CreditAttribution: kmajzlik commented(i am using Domain module can that be problem?)
Comment #2
kmajzlik CreditAttribution: kmajzlik commentedHm i made some research.
- All access modules are out.
- User has ONLY permission to create Page content type.
- User has "Access denied" on /node/add/page
Any logic reason for that?
Comment #3
kmajzlik CreditAttribution: kmajzlik commentedSorry my fault. Now clean install, Content Access, Domain and everything works well.
Solution: /admin/structure/types/[TYPE]/access - expand Advanced. Give content node grants priority to 10. Flush all caches, rebuild content permissions.
Comment #4
jenlamptonI think this may actually be a bug - perhaps it is by design, but if so I'd like someone to confirm that :)
My use case is this: I want to have people 1) create an account (user role: authenticated) and 2) create a profile (in this case, a node). After a review of their node, their user account gets promoted to one of several other roles, and those elevated roles have permission to "view published content" - but the authenticated user should not have this permission.
From my testing, this is impossible to do without an access control module since access to the node/add page (or any specific node/add/X page) is also controlled by the "view published content" permission.
Is this a mistake?
Comment #5
jenlamptonOkay, I think I found the problem.
There is a check in
node_access
for 'access content' without checking the $op, and it will always return false, even affecting node/add and node/add/XPatches for 8.x and 7.x attached.
Comment #7
andypostThis has overlap with #1818556: Convert nodes to the new Entity Field API
Anyway we needs fix tests and add new one
Comment #8
jenlamptonPatches still apply cleanly, and locally the same tests are not failing for me, so re-queueing for more accurate test results.
Comment #9
jenlamptonWhoops, lost important tag.
Comment #10
jenlampton#5: core-fix_overly_restrictive_check_on_all_node_ops-1368610-5.patch queued for re-testing.
Comment #12
kq_sb CreditAttribution: kq_sb commentedDoes this patch work better? It tests explicitly against the 'create $cid access' permission where there no $nid (which I understand means it checks against the content type instead).
Comment #15
schifazl CreditAttribution: schifazl commentedI don't use Drupal 8 yet, but I can confirm that for Drupal 7.50 the patch #5 works flawlessly. Thanks!
Comment #20
designdit CreditAttribution: designdit commentedHello,
I'm using 8.7.5 and this still appears to be an issue. Does anyone have a patch for this version? The current code appears to be very different from the time the original 8.x patch was created so it can't be applied.
Thanks
Comment #23
effulgentsia CreditAttribution: effulgentsia at Acquia commentedThe original use-case of this issue got resolved with the Content Access module per #3.
Updating the issue summary to reflect the use-case in #4.
Comment #24
effulgentsia CreditAttribution: effulgentsia at Acquia commentedHere's a port of #5 to Drupal 9 (works on Drupal 8 too).
Note, however, that I don't necessarily recommend using this patch on real sites. It has not been properly reviewed, and there might be parts of Drupal core or various contrib modules that rely on the current behavior of "view published content" controlling more than it says it does. I agree that the mismatch between the name of the permission and its current behavior is confusing though, so I'm glad that this issue is open for people to review.
Comment #25
effulgentsia CreditAttribution: effulgentsia at Acquia commentedSorry, the patch in #24 is incorrect. This patch is better, though the same warning about using it prior to it being properly reviewed applies.