Latest revision tab should respect 'view own unpublished content' permission [#2865498]

Problem/Motivation

The permissions to view the latest revision tab currently use view latest revision, and view any unpublished content permissions.

It makes sense to have that check for view own unpublished content too.

However, this is somewhat problematic because the node module defines view own unpublished content, while content moderation defines view any unpublished content.

Proposed resolution

Add the check for view own unpublished content.

Remaining tasks

Figure out how to reconcile the node module defining that permission.

User interface changes

API changes

Data model changes

Comment	File	Size	Author
#16	2865498-latest-revision-tab-respect-permissions-16.patch	704 bytes	tuwebo
#9	2865498-09.patch	9.71 KB	jhedstrom
#9	interdiff-2865498-07-09.txt	3.9 KB	jhedstrom
#7	2865498-7.patch	9.24 KB	timmillwood
#4	2865498-04.patch	9.32 KB	jhedstrom
#4	interdiff-2865498-03-04.txt	3.25 KB	jhedstrom
#3	2865498-03.patch	8.61 KB	jhedstrom

Comments

Comment #1

30 March 2017 at 19:36

jhedstrom created an issue. See original summary.

Comment #2

timmillwood

English

🏴󠁧󠁢󠁷󠁬󠁳󠁿 Wales, UK

CreditAttribution: timmillwood at Appnovation for Pfizer, Inc. commented 30 March 2017 at 19:44

I guess this is related to #2838452: Permissions: View any unpublished content not working?

Comment #3

jhedstrom

English

Portland, OR

CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented 30 March 2017 at 23:08

Status:

Active

» Needs review

Status	File	Size
new	2865498-03.patch	8.61 KB

I'm not sure how closely it's related to #2838452: Permissions: View any unpublished content not working aside from dealing with permissions...

Here is an initial patch.

Comment #4

jhedstrom

English

Portland, OR

CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented 30 March 2017 at 23:20

Status	File	Size
new	interdiff-2865498-03-04.txt	3.25 KB
new	2865498-04.patch	9.32 KB

1 file was hidden/shown/deleted

Status	File	Size
hidden	2865498-03.patch	8.61 KB

Last patch didn't check for the other permission 'view latest version' in conjunction with 'view own unpublished content'. I also added some code comments to the test cases.

Comment #5

timmillwood

English

🏴󠁧󠁢󠁷󠁬󠁳󠁿 Wales, UK

CreditAttribution: timmillwood at Appnovation for Pfizer, Inc. commented 21 April 2017 at 11:43

Status:

Needs review

» Reviewed & tested by the community

Looks good to me @jhedstrom, thanks!

Comment #6

21 April 2017 at 12:00

Status:

Reviewed & tested by the community

» Needs work

The last submitted patch, 4: 2865498-04.patch, failed testing.

Status	File	Size
new	2865498-7.patch	9.24 KB

Status	File	Size
hidden	2865498-04.patch	9.32 KB

Comment #8

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 29 April 2017 at 22:22

Status:

Reviewed & tested by the community

» Needs work

+++ b/core/modules/content_moderation/src/Access/LatestRevisionCheck.php
@@ -41,18 +43,25 @@ public function __construct(ModerationInformationInterface $moderation_informati
+      return AccessResult::allowedIfHasPermissions($account, ['view latest version', 'view any unpublished content'])
+        ->orIf(AccessResult::allowedIfHasPermissions($account, ['view latest version', 'view own unpublished content'])
+          ->andif(AccessResult::allowedIf($entity instanceof EntityOwnerInterface && $entity->getOwnerId() == $account->id()))
+        )->addCacheableDependency($entity);

Given this is access related I think we should be more verbose. And easy to read. Perhaps something like:

    if ($this->moderationInfo->hasForwardRevision($entity)) {
      $access_result = AccessResult::allowedIfHasPermissions($account, ['view latest version', 'view any unpublished content']);
      if (!$access_result->isAllowed()) {
        $owner_access = AccessResult::allowedIfHasPermissions($account, ['view latest version', 'view own unpublished content']);
        $owner_access->andif(AccessResult::allowedIf($entity instanceof EntityOwnerInterface && $entity->getOwnerId() == $account->id()));
        $access_result->orIf($owner_access);
      }
      return $access_result->addCacheableDependency($entity);
    }

Comment #9

jhedstrom

English

Portland, OR

CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented 4 May 2017 at 22:29

Status:

Needs work

» Needs review

Status	File	Size
new	interdiff-2865498-07-09.txt	3.9 KB
new	2865498-09.patch	9.71 KB

1 file was hidden/shown/deleted

Status	File	Size
hidden	2865498-7.patch	9.24 KB

This should address #9. Unfortunately, I couldn't use the exact logic there because of the way the andIf() and orIf() methods actually work. These don't impact the object they are being called on, but rather return a new access result, so the logic here relies on that return value. Still easier to read than the first attempt.

This approach also caught some issues with the test assumptions.

Comment #10

jhedstrom

English

Portland, OR

CreditAttribution: jhedstrom at Phase2 for Workday, Inc. commented 4 May 2017 at 22:30

+++ b/core/modules/content_moderation/src/Access/LatestRevisionCheck.php
@@ -41,18 +43,31 @@ public function __construct(ModerationInformationInterface $moderation_informati
+    return AccessResult::forbidden()->addCacheableDependency($entity);

I'd honestly prefer to return neutral here. Expressly forbidding something disallows other modules to grant access, whereas neutral is almost the same since something else needs to explicitly grant access.

Comment #11

timmillwood

English

🏴󠁧󠁢󠁷󠁬󠁳󠁿 Wales, UK

CreditAttribution: timmillwood at Appnovation for Pfizer, Inc. commented 17 May 2017 at 11:25

Status:

Needs review

» Reviewed & tested by the community

Looks to resolve the concerns in #8.

Comment #12

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott at Chapter Three commented 26 May 2017 at 17:38

Status:

Reviewed & tested by the community

» Fixed

Committed de122da and pushed to 8.4.x. Thanks!
Committed c560ef9 and pushed to 8.3.x. Thanks!

Credited myself because my review had an affect on the final patch.

Backported to 8.3.x because this is for an experimental module.

Comment #13

26 May 2017 at 17:39

alexpott committed c560ef9 on 8.3.x

Issue #2865498 by jhedstrom, timmillwood, alexpott: Latest revision tab...

Comment #14

26 May 2017 at 17:39

alexpott committed de122da on 8.4.x

Issue #2865498 by jhedstrom, timmillwood, alexpott: Latest revision tab...

Comment #15

9 June 2017 at 17:39

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Comment #16

tuwebo CreditAttribution: tuwebo at Metadrop commented 16 November 2017 at 12:55

Version:

8.4.x-dev

» 8.5.x-dev

Status	File	Size
new	2865498-latest-revision-tab-respect-permissions-16.patch	704 bytes

Sorry about opening this one again.
It is just that we forgot update "view latest version" permission description in the content_moderation.permissions.yml file.

Patch added, it just modifies the description.

Comment #17

timmillwood

English

🏴󠁧󠁢󠁷󠁬󠁳󠁿 Wales, UK

CreditAttribution: timmillwood at Appnovation for Pfizer, Inc. commented 16 November 2017 at 13:10

@TuWebO please open a new issue for this.

Comment #18

tuwebo CreditAttribution: tuwebo at Metadrop commented 16 November 2017 at 14:44

Hi @timmillwood thanks for the fast response.
I've added new issue #2924055: Wrong description for "view latest version" permission.

Latest revision tab should respect 'view own unpublished content' permission

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Comment #16

Comment #17

Comment #18

Referenced by

News items

Our community

Documentation

Drupal code base

Governance of community