This seems to happen because the update and the view moderation history use the same access function.
The function is: _workbench_moderation_access().
Inside the function is this block of code:
<?php
// The user must be able to view the moderation history.
$access &= user_access('view moderation history');
// The user must be able to edit this node.
$access &= node_access('update', $node);
if ($op == 'unpublish') {
?>
The first node_access check is fine, but the second node_access check should not apply to the view moderation history.
I looked around to see what calls the said function and found that the only cases where when the user was doing an unpublish or a moderation (via the menu url paths) or
is called from _workbench_moderation_access_current_draft() that ends up calling the _workbench_moderation_access() function.
I am suggesting that the update access check only be done when there is a potential update/edit, such as the unpublish process.
The attached patch moves the update access check to inside the unpublish op if block.
There is also this in that same function call:
<?php
// Allow other modules to change our rule set.
drupal_alter('workbench_moderation_access', $access, $op, $node);
?>
This makes me think I should alter the patch to only do the view update test for any/all update operations?
And what are those operations?
Comment | File | Size | Author |
---|---|---|---|
#26 | interdiff.txt | 575 bytes | dsnopek |
#26 | workbench_moderation-1512442-26.patch | 3.13 KB | dsnopek |
| |||
#23 | workbench_moderation-1512442-23.patch | 3.09 KB | dsnopek |
#20 | interdiff-15-20.txt | 723 bytes | cboyden |
#20 | 1512442-20-workbench_moderation-fix_access_check.patch | 3.08 KB | cboyden |
Comments
Comment #1
Vc Developer CreditAttribution: Vc Developer commentedSub.......
Comment #2
lotyrin CreditAttribution: lotyrin commentedThis also breaks viewing drafts.
Regarding the current patch, Is unpublish the only op that should check for node update access?
Comment #3
thekevinday CreditAttribution: thekevinday commentedI suppose any "edit"-like op would need to check for the node update access.
I mentioned that I was not sure what ops there are to process, so maybe I should change the patch to work like this instead:
Which would catch all unknown states while allowing the known 'view' state.
But this then changes the question to, are there any non-"edit"-like states that should not have the node_access('update') check??
I would think that the only operations are CRUD (or in drupals case, CVUD).
- Create, Read(View), Update, Delete.
I just can't find the supporting documentation to confirm this.
It just occured to me after writing all the above that the following might be even better:
Instead of guessing, just pass the operation through node_access() and let it decide.
Is this redundant in anyway?
Comment #4
lotyrin CreditAttribution: lotyrin commentedI'd say we should make a decent effort to see what the possible operations are and rework this function to be correct for all of them.
As it is it doesn't make much sense at all and fixing one-off cases just dusts the rest under the rug.
Comment #5
lotyrin CreditAttribution: lotyrin commentedNot sure if this is right (haven't tested), but illustrates the direction I want this to go in.
Comment #6
zphen CreditAttribution: zphen commentedThis issue is limiting us on a system soon to go to prod.
Specifically we are trying to create a publisher role cannot edit a node, but can move it through transition states.
Due to the issue in this thread, the publisher role does not have the "view moderation history" link unless we give them permission to edit nodes.
Q: When will a patch be released for this?
Thanks for your assistance.
Comment #7
julien66 CreditAttribution: julien66 commentedI run into the same issue. I have a simple workflow where anonymous user should be able to see the revision history + each past revision. I was unable to set it because I was not willing to grant them an editing access on the concerned node type.
=> I can confirm your patch (#5) is solving the issue without forgetting any operation where the code shouldn't grant the access ('update', 'unpublish'). It should be ported asap in my opinion since this seems to affect a quite common usage case...
++
Comment #8
hass CreditAttribution: hass commentedComment #9
JvE CreditAttribution: JvE commentedComment #10
JvE CreditAttribution: JvE commented#5 works fine for me. Thanks.
Comment #11
hass CreditAttribution: hass commentedLooks not good. That's why we have $user, isn't it?
Comment #12
JvE CreditAttribution: JvE commentedYou mean like this?
Doesn't make any difference to me.
Comment #13
stmh CreditAttribution: stmh commentedI came accross the same problem and fixed it via a custom module implementing the hook_workbench_moderation_access_alter
Comment #14
hass CreditAttribution: hass commented#12: yes, that's what I mean.
Comment #15
pfrenssenAddressed Hass' remarks from #11 and did some further cleanup.
Comment #16
cboyden CreditAttribution: cboyden commentedUnlike other links on the moderation history tab, the "Edit draft" courtesy link doesn't check permissions. Starting at line 165 of workbench_moderation.node.inc:
With this patch in place, someone who can view moderation history but not edit will see an "Edit draft" or "New draft" link that leads them to a page with an access denied error. Instead, the courtesy link should check permissions, because it can no longer depend on the fact that this tab isn't visible to someone who can't edit.
Comment #17
cboyden CreditAttribution: cboyden commentedThe updated patch adds an access check to the edit courtesy link that prevents showing it if the user can't edit the node.
Comment #20
cboyden CreditAttribution: cboyden commentedPrevious patch failed because the order of arguments was wrong for _workbench_moderation_access - it's the opposite of the order from _workbench_moderation_revision_access.
Comment #21
dzy CreditAttribution: dzy commentedthanks! it worked.
Fix this issue then "moderator" can do his job with limit permission. I think it is the MOST important feature for this module.
Comment #22
dzy CreditAttribution: dzy commentedfunction _workbench_moderation_moderate_access() had this:
I think we should allow "moderator" role moderate content without edit node permission, he only need view node and moderate state permission.
about #20, function _workbench_moderation_access(), There is no return value?
Comment #23
dsnopekReading over the patch, I think that @dzy made a good catch in #22 that nothing is being done with the return value of
_node_revision_access()
. That should either be integrated into$access
, or perhaps that whole section should be removed? That bit of code (which up until now has done nothing) has been part of the patch since #5.First, here's a patch that integrates that into
$access
- I want to see if any of the automated tests fail.Comment #25
dsnopekTests failed on #23, although, it's not super clear to me that it's from the change I made. I've queued a re-test of #20 just to make sure that patch is still passing (and it's not broken too due to some changes in the 7.x-3.x branch, or changes to Drupal or dependencies or the testbot)
Comment #26
dsnopekIt looks like that was a legitimate failure. Here's an updated patch that attempts to fix.
Basically, my thinking is that previously you needed the ability to update the node for everything. The issue here is to change it so that for 'view revisions' and 'view history' you don't, only the permission to view node revisions. However, my update on the patch is to make is that the users who have update permission still get access, in addition to those with just the ability to view revisions.