Problem/Motivation
The Group content permission provider does not provide a 'view own unpublished entity' permission. This permission is particularly useful for the content moderation module. When content has to be reviewed before publishing you want the ability for the group member and creator of the content item to edit the content item. Right now the only way would be to add the "View any unpublished entity" permission to all group members which is not acceptable for most common use cases.
Proposed resolution
Add that permission in the GroupContentPermissionProvider for entities which implement the PublishedInterface and OwnerInterface.
The access check is already done in Drupal\group\Plugin\GroupContentAccessControlHandler
by checking for the "view own unpublished entity".
There is already a test for the Entity Query Access in EntityQueryAlterComplexTest::testMemberViewOwnUnpublishedAccess
so we won't need to test for that.
Tests need to be changed in:
- GroupContentPermissionProvider: to make sure the correct permissions are provided based on the implementation of PublishedInterface and OwnerInterface
- EntityAccessComplexTest: to make sure that the user can view it's own unpublished content when it has the permission
Comment | File | Size | Author |
---|---|---|---|
#34 | group-2876696-34.patch | 3.94 KB | kristiaanvandeneynde |
Issue fork group-2876696
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
jhedstromThis adds the 'view own unpublished content' permission to be in keeping with all the node module's permissions.
Comment #3
jhedstromComment #4
jhedstromOops, that was missing a parameter to
hasPermission()
.Comment #5
jhedstromBah, that had a custom code comment in it. Sorry for the noise.
Comment #6
robertragas CreditAttribution: robertragas commented+1 , code works, but personally I would prefer to see this per content-type like
"Group node (Article) - Entity: View own unpublished content entities"
Comment #7
jhedstromAgreed. This is the corresponding core issue for such permissions: #2875867: Add per-bundle unpublished content permissions.
Comment #8
jhedstromEr, actually that core permission issue is for 'view any'. I'm not aware of any effort in core to split the view own permission out into per-bundle permissions.
Comment #10
jaapjan CreditAttribution: jaapjan at 25Knots for Open Social commentedSince the Group module now leverages the contrib Entity module and has an access control handler which supports the "View own unpublished entity" permission I think we could change this to a Feature request. Implementing this shouldn't be too much work and the added benefit is that it will work for all the content entities.
@jhedstrom I hope you are OK with me changing this report. But since the issue was a bit older I thought it would make sense to do it like this.
Comment #12
jaapjan CreditAttribution: jaapjan at 25Knots for Open Social commentedMerge request should be complete now. Open for any feedback/review.
Comment #13
jaapjan CreditAttribution: jaapjan at 25Knots for Open Social commentedTest fails because issue #3188747: EntityQueryAlterCacheabilityTest is failing on several tests in issue queue
Comment #14
jaapjan CreditAttribution: jaapjan at 25Knots for Open Social commentedComment #15
_dcre_ CreditAttribution: _dcre_ commentedpatch #5 is not creating a permission per content type
i attach a slightly updated patch which does.
Comment #16
jaapjan CreditAttribution: jaapjan at 25Knots for Open Social commentedBeware that the patch file is outdated and does not use the new Entity Access handling.
The merge request contains the code you should use with the latest version of 1.3. https://git.drupalcode.org/project/group/-/merge_requests/9.patch
It would be really nice if you could test that one instead.
Comment #17
jyraya CreditAttribution: jyraya for European Commission and European Union Institutions, Agencies and Bodies commentedHello,
I tested the patch 9 referenced in the #16 of Jaap.
With the permission "Entity: View own unpublished content item entities", I was able to restrict the access to unpublished content to the only group-level authors and the users having a role with the permission "Entity: View any unpublished content item entities".
I was able to set the permissions for every content type "installed" on the group type.
Thanks everybody for the work!
Comment #18
bramtenhove CreditAttribution: bramtenhove at Open Social for European Commission and European Union Institutions, Agencies and Bodies commentedAlso tested #16 and all works as expected.
Setting it to RTBC.
Comment #19
ayalon CreditAttribution: ayalon at Liip commentedMaybe we should also include "View own entity" in the patch. I added it and it works out of the box.
Comment #20
jyraya CreditAttribution: jyraya for European Commission and European Union Institutions, Agencies and Bodies commentedThe possibility to have a "View own entity" permission deserves its dedicated issue as:
Then, we should have further test efforts on this.
Therefore, I propose to move on with the current patch and create a dedicated issue for the "View own entity" permission detailing the use case, the motivations and
Comment #21
dan2k3k4 CreditAttribution: dan2k3k4 at Amazee Labs commentedI'm attaching the merge-request patch from #9 as in case the MR gets new commits, then that link would get updated with those changes.
Testing #9 on a project where the editor creates a new node for a specific group they are a member of, but does not publish the node.
EDIT:
I missed the new permission on the Group Type which I needed to check:
- View own unpublished content item entities
Comment #22
FiNeX CreditAttribution: FiNeX as a volunteer commentedThis patch also works on Group 2.x but you've to apply manually.
Comment #23
dalra CreditAttribution: dalra commentedComment #24
kristiaanvandeneyndeThis needs a reroll for v2/v3 as it still mentions GroupContentEnabler. I also see no label being added for the new permission.
Comment #25
msnassar CreditAttribution: msnassar at European Commission and European Union Institutions, Agencies and Bodies commentedPatch for group 2 and 3
Comment #26
msnassar CreditAttribution: msnassar at European Commission and European Union Institutions, Agencies and Bodies commentedComment #27
kristiaanvandeneyndeThis would work, I'm just carefully considering whether this is an API break or not.
Also:
Can simply be:
Comment #28
kristiaanvandeneyndeI don't see how this is a problem, attaching a reworked patch.
Comment #30
kristiaanvandeneyndeWhoops
Comment #32
kristiaanvandeneyndeThis should fix that.
Comment #34
kristiaanvandeneyndeI need to learn to test locally before submitting stuff...
Comment #35
kristiaanvandeneyndeAs this is a feature I've added it to a new minor version (3.1.0/2.1.0)