Problem/Motivation

When user saves node then Drupal should check if user has access to it and then decide if the new node title in the message should be link or not.

Message with link
Created message

User doesn't have access to it
Error

To recreate:

  1. Drupal 8.x-4.x installation
  2. Create a new user role
  3. Add a new user and give the user the newly created role
  4. Give the user permissions to create/edit the page node type
  5. Don't give the user the 'View published content' permission
  6. Login as the user and create a new content of the type page
  7. Notice that you get a success message with a link to the node while you are in the access denied page for that node.

Proposed resolution

Add a node access check.

Comments

hkirsman created an issue. See original summary.

hkirsman’s picture

Issue summary: View changes
shabana.navas’s picture

Version: 8.2.x-dev » 8.4.x-dev
Issue summary: View changes
Status: Active » Needs review
FileSize
789 bytes

Added node access check before outputting the node title as a link in the success message so that we're only displaying the link if the user has view access on node insert and update.

bander2’s picture

bander2’s picture

*can't not can

hkirsman’s picture

Thank you @shabana.navas! #3 works!

Not sure how is #1368610 related? Also I was not able to find the code that the patch tries to fix at https://www.drupal.org/node/1368610#comment-10607206 Using 8.3.2

bander2’s picture

#1368610 keeps me from reproducing the issue because:

  1. Drupal 8.x-4.x installation
  2. Create a new user role
  3. Add a new user and give the user the newly created role
  4. Give the user permissions to create/edit the page node type
  5. Don't give the user the 'View published content' permission
  6. Login as the user and create a new content of the type page. I am getting "Access Denied" because of #1368610. So I can't perform this step.
  7. Notice that you get a success message with a link to the node while you are in the access denied page for that node.

I'm not sure how to proceed. I am new to performing reviews. I don't want to give this RTBC unless I can reproduce the issue and confirm that the patch fixes it. I'm not sure if it is appropriate to fix #1368610 locally so I can reproduce this bug to move it along?

achandna’s picture

Status: Needs review » Closed (cannot reproduce)

Can not reproduce this bug as per #7 and we get "access denied" if "View publish" permissions are not given.
If these permissions are required to create/edit a content. This issue won't get reproduced.

karan_kural’s picture

.

hkirsman’s picture

@achandna, this was not about the #7 but what was talked in the initial issue and what shabana.navas fixed in #3.

hkirsman’s picture

Status: Closed (cannot reproduce) » Needs review