I have received this question via e-mail. I post it here so it can benefit other people as well that are looking for this answer.

If a role that does not have the privilege to publish content but can schedule content, does scheduler take that into account? i.e not publish it even if it is scheduled to publish if it has been created by a user without the ability to publish content?

Comments

pfrenssen created an issue.

pfrenssen’s picture

pfrenssen
Location Sofia
CreditAttribution: pfrenssen commented

The publishing of content is actually done by an anonymous user in a cron job, so as soon as content is scheduled, it will always be published, regardless of the role of the person who scheduled the job. This is because in the standard Drupal core node editing workflow is it not very easy to keep track of who is responsible for having content published when content passes through multiple revisions by multiple authors.

If you need more fine grained control over this then you can use a module that provides advanced workflow such as Workbench Moderation in combination with Scheduler Workbench Integration. You can then set up an "Approved for publication" state which can only be granted by a privileged user such as a Chief Editor. The content will then only be published by Scheduler if it has been approved. I don't think either of those two modules are already ported to D8 though.

james.bcn’s picture

james.bcn CreditAttribution: james.bcn commented

I expect this is quite widely required functionality, and it does seem very complex to set up if all that is required is a way to prevent publication before a specific date.

It seems to me that if a user does not have the ability to publish and the scheduler does not take that into account then this is a way for the user to circumvent that, and it seems to me that the scheduler is "broken" in that respect, as it allows a user to circumvent the privileges of their role. Potentially there could be security issues as well? I think this needs some thought.

pfrenssen’s picture

pfrenssen
Location Sofia
CreditAttribution: pfrenssen commented

@james.bcn, if you need this functionality now, you can deny access to the Scheduler fields for user roles that are not supposed to schedule content. This can be done in a form alter, or with a contrib module such as Field Permissions.

In the typical Drupal tradition Scheduler only does one thing and tries to do it well. This means that it only supports the archetypal "80% case", and relies on other modules to provide very specific functionality. Your use case requires an advanced content publishing workflow. This is provided by Scheduler Workbench Integration, but unfortunately that module is not yet ported to D8. If you are interested in a good solution for the long term that is where you should look though.

Note also that Scheduler is also not ready for Drupal 8 yet. It is not recommended for production use. I hope that by the time Scheduler is ready, Workbench Moderation and Scheduler Workbench Integration will also have made significant progress on their D8 ports.

That said, I can understand your pressing need. Try to look into implementing a form alter, and setting the #access value of the Scheduler fields to FALSE for unprivileged users. This will probably get you up and running for the moment.

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented

Hi james.bcn and Pieter,

Thank you for sharing this discussion. It is interesting to follow through the thinking behind our design, and it is good to question things. However I disagree entirely with your statement 'if a user does not have the ability to publish and the scheduler does not take that into account then this is a way for the user to circumvent that, and it seems to me that the scheduler is "broken" in that respect'. Scheduler has it's own permission "Schedule content publication - Allows users to set a start and end time for content publication" so this permission should not be granted to a role which should not be allowed to publish content. If the user should not have the ability to publish then they should not have the ability to set a date for publishing. This can be achieved by not granting them the "Schedule content publication" permission.

I suppose there could be a case for making finer granularity within the permission, so that for example a user might be allowed to schedule a certain content type but not another. Then it would be wrong to deny them Scheduler altogether. Also, we might look at giving a warning when granting the Scheduler permission to a role which could be considered to clash with this. However, there is no core 'publish' permission, it would involve the default status and whether you can change it, so that would be a difficult check to make.

As Pieter says, if you have a complex workflow where an editor can set a publish date, but the content should not actually be published by them unless another user with higher authority has given the O.K. then Workbench Moderation and Scheduler Workbench Integration are the way to do this.

However, we are happy to learn from your situation, and we will listen to your requirements or suggestions, and follow them through to make good design decisions and enhancements if necessary.

Jonathan

james.bcn’s picture

james.bcn CreditAttribution: james.bcn commented

@jonathan1055 the fact that the scheduler has a permission that needs to be granted is a good point.