7.x issue is #2547117: Views filter doesn't respect "view any unpublished content" permission - at least for core we now fix 8 and 7 issues using different issues.
My team had trouble getting a View with the "Published or admin" filter to show unpublished content, with the View Unpublished module enabled, logged in as a user who just had the "view any unpublished content" permission (but not the node-type-specific permissions). We found that there was no explicit check for the "any" permission in the Views handler that comes with this module. So this patch:
- Adds a token for the "view any unpublished content" permission, using hook_views_query_subsititutions().
- Changes the query in the handler to check for the tokenized permission.
- As a bonus, changes the check for ***ADMINISTER_NODES*** to ***BYPASS_ACCESS_CONTROLS***, as that update has been applied to the latest version of the core Views handler.
Wanted to share this approach, which solved the issue for us, in the event it's helpful to the module's users or maintainers. Thanks.
Comment | File | Size | Author |
---|---|---|---|
#3 | 2786109.2.patch | 4.36 KB | alexpott |
Comments
Comment #2
alexpottComment #3
alexpottComment #4
dawehnerI'm wondering whether we could avoid changing this, you never know whether someone else is using that.
Comment #5
alexpottWell we could have
VIEWUNPUBLISHEDANY
- but I changed it in case some creates a node type with an ID of 'any'. TBH I think it is worth changing because it is explicit.Comment #6
dawehnerWell fair, given that
view_unpublished
doesn't have yet a stable release for 8.xComment #7
amateescu CreditAttribution: amateescu for Chapter Three commentedI agree that it's ok-ish to change that substitution string :)
Comment #8
JeroenT+1 to RTBC, patch worked for me.
Comment #10
amaria CreditAttribution: amaria commented