Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The change in https://www.drupal.org/node/2821899 is excellent, it lets people see the content if you're checking for a "View" permission on content.
However, when we're checking if something could be updated or deleted, it's also useful to add in whether it is unpublished or not. The use case is if we had a View filter looking for the "update" op, it would not grant the ability for the View to display the entities that could be updated/deleted.
Comment | File | Size | Author |
---|---|---|---|
#14 | group_gnode-unpublished-node-update-delete-check_2852963-14.patch | 1.13 KB | mikemccaffrey |
| |||
#13 | group_gnode-unpublished-node-update-delete-check_2852963-13.patch | 1.12 KB | mikemccaffrey |
| |||
#10 | group_gnode-unpublished-node-update-delete-check_2852963-10.patch | 2.88 KB | Anonymous (not verified) |
| |||
#9 | group_gnode-unpublished-node-update-delete-check_2852963-9.patch | 2.47 KB | Anonymous (not verified) |
| |||
#6 | group_gnode-unpublished-node-update-delete-check_2852963-6.patch | 768 bytes | Anonymous (not verified) |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedvilepickle created an issue. See original summary.
Comment #2
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #3
kristiaanvandeneyndeThis sounds like a bug. If you are trying to build a view that lists what you can edit, it should use the 'update' operation for node grants instead of 'view'.
The reason we only care about published vs unpublished when viewing nodes is because that's the only thing we have a permission for. We do not have something like "Edit own unpublished nodes".
Comment #4
Anonymous (not verified) CreditAttribution: Anonymous commentedYeah I think a better solution would be to have a permission for "edit own unpublished nodes" instead of just the view one for something like this.
Here's our views plugin to show what we're doing. It is looking at the update permission, but doesn't work as a Views filter (like for admin/content) unless the patch in #2 is applied currently.
Comment #5
kristiaanvandeneyndeYou forgot to tell the query that you are looking for nodes you can update:
I don't think we should ever have an "edit own unpublished nodes" permission. Core doesn't have it either. I was just mentioning that we don't have such a permission, not that we should have one :)
Comment #6
Anonymous (not verified) CreditAttribution: Anonymous commentedThanks for pointing that out. So I was doing some digging on this issue today. In our app, we've discovered that if a separate author in the group creates an unpublished node, but then a different user tries to view it with the filter above, it does not show up in the list of content.
The root cause doesn't seem to be the patch I presented originally since that function checks the node_access after the record has been entered in the first place.
What makes sense is down below in the gnode.module file:
It should probably be:
I was seeing only two records in the db for the gid:
gnode_unpublished:news
gnode_author:1:news
Where it should have "gnode:news" as well to be able to show the unpublished node.
This will also require an access rebuild I believe...
Not sure if this approach is best but feedback welcome.
Comment #8
Anonymous (not verified) CreditAttribution: Anonymous commentedBtw, that metaData line actually causes a fatal:
Fatal error: Call to undefined method Drupal\views\Plugin\views\query\Sql::addMetaData()
Comment #9
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #10
Anonymous (not verified) CreditAttribution: Anonymous commentedI believe this is how node access is rebuilt on updb.
Comment #11
kristiaanvandeneyndeHmm I'd have to look into this but you may be right. Although you are setting an extra access record where we shouldn't do so. I'd rather hand out an extra grant to users checking for update/delete:
Keep in mind this needs to happen twice ($grants_m as well).
Comment #12
kristiaanvandeneyndeAlso your patch would grant view access to unpublished nodes to anyone with the "view published nodes" permission. So in order to fix that, we'd also need to change this elseif to an if:
Comment #13
mikemccaffreyHere is an updated patch (but without testing or rebuild on update) based on @kristiaanvandeneynde's suggestion in #11.
Comment #14
mikemccaffreyRerolled patch from #13.