This issue was reported for the Workbench Moderation module. It also exists in Content Moderation, so I'm adding it here.
I have a role (manager) with permission to view any unpublished content. That role can also view the latest version, can create and edit any content type X.
Webmaster (administrator role) creates a content type X node. It's in the Draft (unpublished) state.
User A with role "manager" cannot access that node.
Webmaster publishes that node, User A then has access to it.
Webmaster creates a new draft version of that node (has published version and unpublished version).
User A can view and moderate the unpublished version.
User A creates a content type X node. As soon as User A saves it, user gets message: "The website encountered an unexpected error. Please try again later.".
Webmaster can see and access that node (unpublished), but User A cannot - even though User A created it.
Problem: users other than administrator cannot view unpublished content that does not have a published version when they have the View any unpublished content permission.
This renders workflow useless.
Here 's a link to the issue reported for Workbench Moderation: ISSUE
Comment | File | Size | Author |
---|---|---|---|
#50 | view_any_unpublished_content_not_working-2838452-50.patch | 1.58 KB | Anas_maw |
#45 | 2838452-45.patch | 1.54 KB | yusufhm |
#37 | 2838452-37.patch | 612 bytes | timmillwood |
#34 | permissions_view_any-2838452-34.patch | 1.13 KB | yogeshmpawar |
#24 | 2838452-24-test-only.patch | 1.15 KB | Manuel Garcia |
Comments
Comment #2
timmillwoodComment #3
scookie CreditAttribution: scookie at Workday, Inc. commentedComment #4
cilefen CreditAttribution: cilefen commentedA relatively serious problem in an experimental module is not a critical issue for Drupal core.
Comment #5
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedIs this also a problem with 8.x-3.x?
Comment #6
cilefen CreditAttribution: cilefen commentedIt will be helpful to know what is the error logged.
Comment #7
scookie CreditAttribution: scookie at Workday, Inc. commentedIt is a php error with the following message (from the log):
rror: Call to a member function isRevisionTranslationAffected() on null in Drupal\content_moderation\ParamConverter\EntityRevisionConverter->convert() (line 101 of /var/www/community/build/html/core/modules/content_moderation/src/ParamConverter/EntityRevisionConverter.php) #0 /var/www/community/build/html/core/lib/Drupal/Core/ParamConverter/ParamConverterManager.php(99): Drupal\content_moderation\ParamConverter\EntityRevisionConverter->convert('7', Array, 'node', Array) #1 /var/www/community/build/html/core/lib/Drupal/Core/Routing/Enhancer/ParamConversionEnhancer.php(45): Drupal\Core\ParamConverter\ParamConverterManager->convert(Array) #2 /var/www/community/build/html/core/lib/Drupal/Core/Routing/LazyRouteEnhancer.php(94): Drupal\Core\Routing\Enhancer\ParamConversionEnhancer->enhance(Array, Object(Symfony\Component\HttpFoundation\Request)) #3 /var/www/community/vendor/symfony-cmf/routing/DynamicRouter.php(289): Drupal\Core\Routing\LazyRouteEnhancer->enhance(Array, Object(Symfony\Component\HttpFoundation\Request)) #4 /var/www/community/vendor/symfony-cmf/routing/DynamicRouter.php(275): Symfony\Cmf\Component\Routing\DynamicRouter->applyRouteEnhancers(Array, Object(Symfony\Component\HttpFoundation\Request)) #5 /var/www/community/vendor/symfony-cmf/routing/ChainRouter.php(186): Symfony\Cmf\Component\Routing\DynamicRouter->matchRequest(Object(Symfony\Component\HttpFoundation\Request)) #6 /var/www/community/vendor/symfony-cmf/routing/ChainRouter.php(156): Symfony\Cmf\Component\Routing\ChainRouter->doMatch('/node/7/edit', Object(Symfony\Component\HttpFoundation\Request)) #7 /var/www/community/build/html/core/lib/Drupal/Core/Routing/AccessAwareRouter.php(85): Symfony\Cmf\Component\Routing\ChainRouter->matchRequest(Object(Symfony\Component\HttpFoundation\Request)) #8 /var/www/community/vendor/symfony/http-kernel/EventListener/RouterListener.php(154): Drupal\Core\Routing\AccessAwareRouter->matchRequest(Object(Symfony\Component\HttpFoundation\Request)) #9 /var/www/community/build/html/core/lib/Drupal/Component/EventDispatcher/ContainerAwareEventDispatcher.php(111): Symfony\Component\HttpKernel\EventListener\RouterListener->onKernelRequest(Object(Symfony\Component\HttpKernel\Event\GetResponseEvent), 'kernel.request', Object(Drupal\Component\EventDispatcher\ContainerAwareEventDispatcher)) #10 /var/www/community/vendor/symfony/http-kernel/HttpKernel.php(125): Drupal\Component\EventDispatcher\ContainerAwareEventDispatcher->dispatch('kernel.request', Object(Symfony\Component\HttpKernel\Event\GetResponseEvent)) #11 /var/www/community/vendor/symfony/http-kernel/HttpKernel.php(64): Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1) #12 /var/www/community/build/html/core/lib/Drupal/Core/StackMiddleware/Session.php(57): Symfony\Component\HttpKernel\HttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #13 /var/www/community/build/html/core/lib/Drupal/Core/StackMiddleware/KernelPreHandle.php(47): Drupal\Core\StackMiddleware\Session->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #14 /var/www/community/build/html/core/modules/page_cache/src/StackMiddleware/PageCache.php(99): Drupal\Core\StackMiddleware\KernelPreHandle->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #15 /var/www/community/build/html/core/modules/page_cache/src/StackMiddleware/PageCache.php(78): Drupal\page_cache\StackMiddleware\PageCache->pass(Object(Symfony\Component\HttpFoundation\Request), 1, true) #16 /var/www/community/build/html/core/lib/Drupal/Core/StackMiddleware/ReverseProxyMiddleware.php(47): Drupal\page_cache\StackMiddleware\PageCache->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #17 /var/www/community/build/html/core/lib/Drupal/Core/StackMiddleware/NegotiationMiddleware.php(50): Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #18 /var/www/community/vendor/stack/builder/src/Stack/StackedHttpKernel.php(23): Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #19 /var/www/community/build/html/core/lib/Drupal/Core/DrupalKernel.php(652): Stack\StackedHttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #20 /var/www/community/build/html/index.php(19): Drupal\Core\DrupalKernel->handle(Object(Symfony\Component\HttpFoundation\Request)) #21 {main}.
Comment #8
cilefen CreditAttribution: cilefen commentedComment #9
timmillwoodThis should fix the issue, just need a test to prove it.
Comment #10
scookie CreditAttribution: scookie at Workday, Inc. commentedWill a fix be available for 8.2.x? When I created this issue, I created it as an issue for 8.2.x. We are going live prior to the release of 8.3, and we need a fix before we go live. Thanks!
Comment #11
timmillwoodThe patch should apply to 8.2.x and 8.3.x, we just need to get it committed to 8.3.x first then to 8.2.x because of the big difference in content moderation.
Also note, content moderation is an experimental module so I wouldn't advise using it on a live site. There is currently no way to upgrade from 8.2.x content moderation to 8.3.x content moderation.
Comment #12
alexpott@scookie workflows and content moderation are both alpha experimental modules - as documented on https://www.drupal.org/core/experimental they are not production ready.
Comment #13
scookie CreditAttribution: scookie at Workday, Inc. commented@alexpott, understood.
Comment #14
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedThe fix looks good. NW for the test.
Comment #15
RaisinBranCrunch CreditAttribution: RaisinBranCrunch commentedAre you sure this is the right patch? It looks like the patch doesn't do anything at all. It's just separating one if condition into two if conditions, which are equivalent.
Comment #16
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedThis code is never reached without first checking "instanceof EntityInterface", which is the error being reported, "Call to a member function isRevisionTranslationAffected() on null".
Comment #17
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedI couldn't get this to fatal with any combination of permissions for 8.3.x.
Comment #19
amateescu CreditAttribution: amateescu for Pfizer, Inc. commented\Drupal\content_moderation\ModerationInformationInterface::getLatestRevision()
documents that it can return NULL, and if we combine that with the fact thatisRevisionTranslationAffected()
is a method onContentEntityInterface
, I think we need a simpler patch like the one attached.Comment #20
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedFix looks simple, nice. Were you able to reproduce this by testing manually and can you upload a test to demonstrate the fail? NW based on a test.
Comment #21
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedI was not able to reproduce the problem mentioned in the current issue summary ("Problem: users other than administrator cannot view unpublished content that does not have a published version when they have the View any unpublished content permission."), however, I was able to write a test for a very similar bug:
A user with the 'view latest version' and 'view any unpublished content' permissions is not able to access the page which displays the 'latest' revision of an entity that was never published.
Here's a test-only patch for that, and note that the patch in #19 does not fix it, this is a different bug but in the same code surface area.
Comment #23
realityloopI think this should still be needs review?
Comment #24
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation commentedRerolling as the test only patch was not applying anymore, (the test file now lives under core/modules/content_moderation/tests/src/Functional/ )
Comment #27
facine CreditAttribution: facine as a volunteer and at Cambrico commentedRerolled for 8.3.x!
Comment #28
cilefen CreditAttribution: cilefen commentedComment #29
timmillwood@facine - This looks to be a re-roll of my patch in #9 and not of the newer patches.
Comment #30
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation commented#24 applies fine to both to 8.4.x and 8.3.x, no need to reroll...
Comment #31
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation commentedComment #32
cilefen CreditAttribution: cilefen commented@facine Thank you for contributing. Do check if a patch needs a reroll first. I am removing the automatically-assigned credit you would have received. Keep following and helping!
Comment #33
yogeshmpawarComment #34
yogeshmpawarRe-roll of patch #24 because it's failed to apply on 8.4.x & test mentioned in #24 already included in 8.4.x branch so i am not including that tests in my patch.
Comment #35
timmillwoodThe patch in #34 doesn't really do anything now, looks like this was fixed in #2821716: Fatal error when viewing node with content moderation enabled if a module which implements hook_node_grants() is enabled .
Comment #36
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedHow about keeping this open for the bug that I found in #21?
The test is written already, now we just need a fix :)
Comment #37
timmillwoodTrying to update the test only patch from #21.
This seems to be along the same lines, but I don't know why it's not working. Looking at
\Drupal\content_moderation\Routing\EntityModerationRouteProvider::getLatestVersionRoute
a user with 'view latest version' and 'view any unpublished content' permissions should get a 200 for the latest revision page not a 403.Comment #40
timmillwoodI am now unable to replicate the bug in the issue summary or bugs explained in the comments, such as #21.
Feel free to re-open if I missed anything, but looks as thought NodeAccessTest is more extensive now.
Comment #41
jhedstromLooks like the test from #21 was added in #2821716: Fatal error when viewing node with content moderation enabled if a module which implements hook_node_grants() is enabled , so that also presumably fixed the issue?
Comment #42
timmillwoodLooks like it @jhedstrom.
Comment #43
yusufhmI still had this issue in one of our projects that we just migrated to 8.5.
It took me a while, but I was finally able to resolve the issue by implementing the fix from https://dgo.to/2835883#comment-11905189.
Attaching the patch here, for whoever else is encountering this issue.
Comment #45
yusufhmRe-uploading patch, with missing import for class.
Comment #48
sgurlt CreditAttribution: sgurlt as a volunteer and at Bright Solutions GmbH commentedI am still running into this with D8.6.3 and content moderation, tried #45 but this did not fix the issue for me.
Comment #49
kclarkson CreditAttribution: kclarkson commentedI too am seeing this issue. on 8.6.4 Very Odd for sure.
Makes content moderation basically unusable for me at the moment.
Comment #50
Anas_maw CreditAttribution: Anas_maw as a volunteer commentedAfter long debugging, I found that there is no issue with accessing the content. If you try to access the content by entering the link directly to the browser you will be able to view it.
The main problem here that you can't see it in the content listing page, this because of views filter "Published status or admin user".
This filter does not check "view any unpublished content" permission.
This patch solves the issue.
Comment #51
Anas_maw CreditAttribution: Anas_maw as a volunteer commentedMaybe we should change the component to node module
Comment #52
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation commentedWow nice find @Anas_maw -
Should we open a new issue for that? this thread is already confusing enough, and that seems to only deal with node module.
Comment #53
Anas_maw CreditAttribution: Anas_maw as a volunteer commentedI created a new issue for this: #3030477: Views filter "Published status or admin user" not checking "View any unpublished content" permission
Maybe we should close this ticket?
Comment #54
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation commentedYeah lets do that, thanks again @Anas_maw
Comment #55
Dmitrii Puiandaikin CreditAttribution: Dmitrii Puiandaikin as a volunteer commented@Anas_maw - good catch, thank you!