7.x issue is #2547117: Views filter doesn't respect "view any unpublished content" permission - at least for core we now fix 8 and 7 issues using different issues.

My team had trouble getting a View with the "Published or admin" filter to show unpublished content, with the View Unpublished module enabled, logged in as a user who just had the "view any unpublished content" permission (but not the node-type-specific permissions). We found that there was no explicit check for the "any" permission in the Views handler that comes with this module. So this patch:

  • Adds a token for the "view any unpublished content" permission, using hook_views_query_subsititutions().
  • Changes the query in the handler to check for the tokenized permission.
  • As a bonus, changes the check for ***ADMINISTER_NODES*** to ***BYPASS_ACCESS_CONTROLS***, as that update has been applied to the latest version of the core Views handler.

Wanted to share this approach, which solved the issue for us, in the event it's helpful to the module's users or maintainers. Thanks.

CommentFileSizeAuthor
#3 2786109.2.patch4.36 KBalexpott
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

alexpott created an issue. See original summary.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Related issues: +#2547117: Views filter doesn't respect "view any unpublished content" permission
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
FileSize
2786109.2.patch4.36 KB
dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner at Chapter Three commented 
  1. +++ b/view_unpublished.views_execution.inc
@@ -16,8 +16,9 @@ function view_unpublished_views_query_substitutions(ViewExecutable $view) {
     $type_id = $type->id();
-    $substitutions["***VIEWUNPUBLISHED_$type_id***"] = intval($account
-      ->hasPermission('view any unpublished ' . $type_id . ' content'));
+    $substitutions["***VIEWUNPUBLISHED_TYPE_$type_id***"] = (int) $account->hasPermission('view any unpublished ' . $type_id . ' content');
   }
+  $substitutions["***VIEWUNPUBLISHED_ANY***"] = (int) $account->hasPermission('view any unpublished content');

    I'm wondering whether we could avoid changing this, you never know whether someone else is using that.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented

Well we could have VIEWUNPUBLISHEDANY - but I changed it in case some creates a node type with an ID of 'any'. TBH I think it is worth changing because it is explicit.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner at Chapter Three commented

Well fair, given that view_unpublished doesn't have yet a stable release for 8.x

amateescu’s picture

amateescu CreditAttribution: amateescu for Chapter Three commented
Status: Needs review » Reviewed & tested by the community

I agree that it's ok-ish to change that substitution string :)

JeroenT’s picture

JeroenT
Primary language Dutch
Location 🇧🇪
CreditAttribution: JeroenT at iO commented

+1 to RTBC, patch worked for me.

  • amaria committed edc3992 on 8.x-1.x authored by alexpott 
    Issue #2786109 by alexpott: Views filter doesn't respect "view any...
amaria’s picture

amaria CreditAttribution: amaria commented
Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.