Unpublished nodes visible to all roles including anonymous [#2389415]

Using module_grants-7.x-1.x with og-7.x-2.x and taxonomy_access seems to work well except for unpublished content. Any nodes that are unpublished are visible to all roles including anonymous.

I see in module_grants 6.x issues there were several related to this problem.

I also noted that there are suggested work flows with revisioning but did not want to add more modules just to solve issue this unless it is the only way.

I would appreciate any suggestions on how to solve this.

Thanks.

Comments

Comment #1

RdeBoer

Melbourne

CreditAttribution: RdeBoer commented 8 December 2014 at 21:14

Suggest you add Revisioning to the mix.

Comment #2

izmeez CreditAttribution: izmeez commented 9 December 2014 at 00:08

Ok, I'll give that a try.

Comment #3

izmeez CreditAttribution: izmeez commented 9 December 2014 at 17:01

The revisioning and workflow modules are impressive.
But, what if you don't really need them? It adds a more complicated configuration.

It seems to me that there is something in module_grants that may need closer examination and maybe module_grants needs a hook that revisioning can use to alter what is needed for moderation.

Looking at the code in module_grants there are comments in the function alluding to this issue,

/**
 * Get the realms and # of records in node_access table for a node or for access all
 * @param  $node
 * @return array of record counts, keyed by realm.
 */
function module_grants_get_node_access_realms($node = NULL) {
  $node_access_realms = &drupal_static(__FUNCTION__);

  $nid = $node ? $node->nid : 0;
  if (!isset($node_access_realms[$nid])) {
    $query = db_select('node_access', 'na')
      ->fields('na', array('realm'));
    $query->addExpression('COUNT(na.gid)', 'gid_count');

    if ($node) {
      $nid_condition = db_or()
        ->condition('na.nid', $node->nid)
        // If node is published, and there is only an access all grant (nid = 0) for a realm, then this node
        // will not be handled leniently on this realm, which means user needs to have that access all grant
        // in order to access the node.
        // This condition should be the same for unpublished node. For unpublished nodes, node_access()
        // will not consider all grant, but will only consider node specific grant. If we allow unpublished
        // node to be handled leniently in a realm with only all grant, it would allow user without the
        // all grant to access the unpublished node, which is bad.
        ->condition('na.nid', 0);
      $query->condition($nid_condition);
    }
    $query->groupBy('na.realm');
    $node_access_realms[$nid] = $query->execute()->fetchAllKeyed();
  }
  return $node_access_realms[$nid];
}

The module_grants module is doing some heavy lifting to allow multiple access control modules to work well together so I am not really sure where such a change could be made.

Comment #4

izmeez CreditAttribution: izmeez commented 9 December 2014 at 17:07

I see this is very complicated according to https://www.drupal.org/node/408816#appendix

Secondly, modules for fine-grained access control (such as Workflow Access, TAC, TAC-Lite) tend to rely on grants in the node_access table for their implementation and are therefore rendered impotent when dealing with unpublished content, because of the way node access is wired into the drupal core (point 2b).