Do a check for unpublished content when looking for update/delete permissions

vilepickle created an issue. See original summary.

Yeah I think a better solution would be to have a permission for "edit own unpublished nodes" instead of just the view one for something like this.

Here's our views plugin to show what we're doing. It is looking at the update permission, but doesn't work as a Views filter (like for admin/content) unless the patch in #2 is applied currently.

<?php

namespace Drupal\hp_views\Plugin\views\filter;

use Drupal\Core\Form\FormStateInterface;
use Drupal\views\Plugin\views\filter\FilterPluginBase;

/**
 * Filter by node_access records.
 *
 * @ingroup views_filter_handlers
 *
 * @ViewsFilter("hp_views_gnode_update_access")
 */
class GroupNodeUpdateAccess extends FilterPluginBase {

  public function adminSummary() { }
  protected function operatorForm(&$form, FormStateInterface $form_state) { }
  public function canExpose() {
    return FALSE;
  }

  /**
   * See _node_access_where_sql() for a non-views query based implementation.
   */
  public function query() {
    $account = $this->view->getUser();

    // Get the list of grants from the gnode module.
    $grants_list = gnode_node_grants($account, 'update');

    if(empty($grants_list)) {
      return;
    }

    if (!$account->hasPermission('bypass node access')) {
      $table = $this->ensureMyTable();
      $grants = db_or();

      foreach ($grants_list as $realm => $gids) {
        foreach ($gids as $gid) {
          $grants->condition(db_and()
            ->condition($table . '.gid', $gid)
            ->condition($table . '.realm', $realm)
          );
        }
      }

      $this->query->addWhere('AND', $grants);
      $this->query->addWhere('AND', $table . '.grant_update', 1, '>=');
      $this->query->addTag('node_access');

     // print_r($this->query->query()->__toString());
    }
  }

  /**
   * {@inheritdoc}
   */
  public function getCacheContexts() {
    $contexts = parent::getCacheContexts();

    $contexts[] = 'user.node_grants:update';

    return $contexts;
  }

}

Thanks for pointing that out. So I was doing some digging on this issue today. In our app, we've discovered that if a separate author in the group creates an unpublished node, but then a different user tries to view it with the filter above, it does not show up in the list of content.

The root cause doesn't seem to be the patch I presented originally since that function checks the node_access after the record has been entered in the first place.

What makes sense is down below in the gnode.module file:

    // Add the non-author record for viewing nodes.
    $prefix = $node->isPublished() ? 'gnode' : 'gnode_unpublished';
    $records[] = ['gid' => $gid, 'realm' => "$prefix:$type"] + $base;

It should probably be:

    // Add the non-author record for viewing nodes.
    if(!$node->isPublished()) {
      $records[] = ['gid' => $gid, 'realm' => "gnode_unpublished:$type"] + $base;
    }
    $records[] = ['gid' => $gid, 'realm' => "gnode:$type"] + $base;

I was seeing only two records in the db for the gid:
gnode_unpublished:news
gnode_author:1:news

Where it should have "gnode:news" as well to be able to show the unpublished node.

This will also require an access rebuild I believe...

Not sure if this approach is best but feedback welcome.

Btw, that metaData line actually causes a fatal:

Fatal error: Call to undefined method Drupal\views\Plugin\views\query\Sql::addMetaData()

I believe this is how node access is rebuilt on updb.