Problem/Motivation
The method ModerationInformation::getLatestRevisionId
(and possibly ModerationInformation::getDefaultRevisionId
) has varying results if modules with node access grants are enabled. This particularly reveals itself if the content in question has not yet been published. For non-admins that don't have access granted in the query alter (but may otherwise be granted access) this method returns NULL.
Proposed resolution
Since both of these are API methods, they shouldn't return different results depending on which user is logged in. As such, the accessCheck(FALSE)
method should be called on the entity query.
Remaining tasks
Determine the best way to demonstrate this issue in a test.
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#6 | 2932154-06.patch | 7.66 KB | jhedstrom |
#6 | 2932154-06-TEST-ONLY.patch | 6.36 KB | jhedstrom |
Comments
Comment #2
jhedstromComment #3
jhedstromHere's 2 tests that demonstrate the issue. The functional one is a change to an existing test, but instead of using the
node_access_test_empty
module, it uses the one that actually provides some node grants. The second is a kernel test that demonstrates the issue at the API level.Comment #5
timmillwood@jhedstrom - Good find! The patch in #2 looks perfect. Once tests pass I'll give a proper review.
Comment #6
jhedstromThose 2 fails were caused by the new logic in
node_access_test_node_access()
inadvertently granting the anonymous user access. Resolved by using a===
operator. This also removes what was an unnessesary change tonode_access_test_node_grants
.Comment #9
timmillwoodNice, looks good to me, thanks @jhedstrom!
Comment #10
catchPlug for #2931028: Separate entity query service into access checked and not access checked :)
Comment #13
larowlanCommitted as f3b60ed and pushed to 8.5.x
Cherry-picked as e5f7cc8 and pushed to 8.4.x
Thanks