Permissions: View any unpublished content not working

A relatively serious problem in an experimental module is not a critical issue for Drupal core.

Is this also a problem with 8.x-3.x?

user gets message: "The website encountered an unexpected error. Please try again later."

It will be helpful to know what is the error logged.

This should fix the issue, just need a test to prove it.

The patch should apply to 8.2.x and 8.3.x, we just need to get it committed to 8.3.x first then to 8.2.x because of the big difference in content moderation.

Also note, content moderation is an experimental module so I wouldn't advise using it on a live site. There is currently no way to upgrade from 8.2.x content moderation to 8.3.x content moderation.

@scookie workflows and content moderation are both alpha experimental modules - as documented on https://www.drupal.org/core/experimental they are not production ready.

The fix looks good. NW for the test.

Are you sure this is the right patch? It looks like the patch doesn't do anything at all. It's just separating one if condition into two if conditions, which are equivalent.

+++ b/core/modules/content_moderation/src/ParamConverter/EntityRevisionConverter.php
@@ -92,14 +92,16 @@ public function convert($value, $definition, $name, array $defaults) {
+        if ($latest_revision->isRevisionTranslationAffected()) {

This code is never reached without first checking "instanceof EntityInterface", which is the error being reported, "Call to a member function isRevisionTranslationAffected() on null".

I couldn't get this to fatal with any combination of permissions for 8.3.x.

\Drupal\content_moderation\ModerationInformationInterface::getLatestRevision() documents that it can return NULL, and if we combine that with the fact that isRevisionTranslationAffected() is a method on ContentEntityInterface, I think we need a simpler patch like the one attached.

Fix looks simple, nice. Were you able to reproduce this by testing manually and can you upload a test to demonstrate the fail? NW based on a test.

I was not able to reproduce the problem mentioned in the current issue summary ("Problem: users other than administrator cannot view unpublished content that does not have a published version when they have the View any unpublished content permission."), however, I was able to write a test for a very similar bug:

A user with the 'view latest version' and 'view any unpublished content' permissions is not able to access the page which displays the 'latest' revision of an entity that was never published.

Here's a test-only patch for that, and note that the patch in #19 does not fix it, this is a different bug but in the same code surface area.

I think this should still be needs review?

Rerolling as the test only patch was not applying anymore, (the test file now lives under core/modules/content_moderation/tests/src/Functional/ )

Rerolled for 8.3.x!

@facine - This looks to be a re-roll of my patch in #9 and not of the newer patches.

#24 applies fine to both to 8.4.x and 8.3.x, no need to reroll...

@facine Thank you for contributing. Do check if a patch needs a reroll first. I am removing the automatically-assigned credit you would have received. Keep following and helping!

Re-roll of patch #24 because it's failed to apply on 8.4.x & test mentioned in #24 already included in 8.4.x branch so i am not including that tests in my patch.

The patch in #34 doesn't really do anything now, looks like this was fixed in #2821716: Fatal error when viewing node with content moderation enabled if a module which implements hook_node_grants() is enabled .

How about keeping this open for the bug that I found in #21?

The test is written already, now we just need a fix :)

Trying to update the test only patch from #21.

This seems to be along the same lines, but I don't know why it's not working. Looking at \Drupal\content_moderation\Routing\EntityModerationRouteProvider::getLatestVersionRoute a user with 'view latest version' and 'view any unpublished content' permissions should get a 200 for the latest revision page not a 403.

I am now unable to replicate the bug in the issue summary or bugs explained in the comments, such as #21.

Feel free to re-open if I missed anything, but looks as thought NodeAccessTest is more extensive now.

Looks like the test from #21 was added in #2821716: Fatal error when viewing node with content moderation enabled if a module which implements hook_node_grants() is enabled , so that also presumably fixed the issue?

Looks like it @jhedstrom.

I still had this issue in one of our projects that we just migrated to 8.5.

It took me a while, but I was finally able to resolve the issue by implementing the fix from https://dgo.to/2835883#comment-11905189.

Attaching the patch here, for whoever else is encountering this issue.

Re-uploading patch, with missing import for class.

I am still running into this with D8.6.3 and content moderation, tried #45 but this did not fix the issue for me.

I too am seeing this issue. on 8.6.4 Very Odd for sure.

Makes content moderation basically unusable for me at the moment.

After long debugging, I found that there is no issue with accessing the content. If you try to access the content by entering the link directly to the browser you will be able to view it.
The main problem here that you can't see it in the content listing page, this because of views filter "Published status or admin user".
This filter does not check "view any unpublished content" permission.
This patch solves the issue.

Maybe we should change the component to node module

Wow nice find @Anas_maw -

Should we open a new issue for that? this thread is already confusing enough, and that seems to only deal with node module.

I created a new issue for this: #3030477: Views filter "Published status or admin user" not checking "View any unpublished content" permission
Maybe we should close this ticket?

Yeah lets do that, thanks again @Anas_maw

@Anas_maw - good catch, thank you!