Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
In Drupal 8.6, we want to make taxonomy terms usable with the Workspace module, which means they need to be revisionable and publishable. This issue has been split from #2880149: Convert taxonomy terms to be revisionable, and it handles only the publishable part.
Proposed resolution
Add a status
field to taxonomy terms.
Remaining tasks
Review.
User interface changes
No UI changes yet, they will be handled in #2899923: UI for publishing/unpublishing taxonomy terms.
API changes
Nope.
Data model changes
Taxonomy terms will have a publishing status field.
Comment | File | Size | Author |
---|---|---|---|
#49 | interdiff-49.txt | 1.75 KB | amateescu |
#49 | 2981887-49.patch | 46.42 KB | amateescu |
#47 | 2981887-47.patch | 45.83 KB | amateescu |
#35 | interdiff-35.txt | 529 bytes | amateescu |
#35 | 2981887-35.patch | 45.34 KB | amateescu |
Comments
Comment #2
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedExtracted the relevant parts from #2880149-170: Convert taxonomy terms to be revisionable into a separate patch.
Comment #3
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedForgot to change the number of the update function :)
Comment #4
timmillwoodI can't find any issues, looks good to me.
Should we also port all of the credit from #2880149: Convert taxonomy terms to be revisionable to this issue?
Comment #5
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedYes, we should definitely do that.
Comment #6
Gábor HojtsyThis looks good, I like how the update was considering the content translation scenario and views. On the other hand terms could appear in different ways in views, eg. as a relationship. What would happen to those?
Similar question: does this affect entity reference fields, do those have settings to allow unpublished/published or how does the handling of access happen there?
Also not RTBC yet given the lack of credit carryover.
Comment #7
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedI don't think we can do anything for terms that come through a relationship. I've just tried this scenario using a taxonomy term view with a relationship to nodes based on the 'field_tags' field, and unpublished nodes do appear in the results by default. The fact that we don't have a unified query access API for entities is a known problem for many years, and there's an issue in the Entity API contrib module which tries to tackle this: #2909970: Implement a query-level entity access API
That's an excellent point! Updated
\Drupal\taxonomy\Plugin\EntityReferenceSelection\TermSelection
to handle publishable terms and added test coverage for it.Comment #9
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedRerolled on latest HEAD. The interdiff from #7 is good though.
Comment #11
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedSo #2936793: EntityReferenceItem::generateSampleValue() should create a sample entity if a referenceable entity is not found "fixed" the problem with sample values at the wrong level, but we can use the workaround added there and clean it up in #2936864: Discuss adding a 'status' field type that could be used in place of 'boolean'.
Comment #12
joachim CreditAttribution: joachim as a volunteer commentedShouldn't we also convert views that show entities with taxonomy term arguments, so that the argument validation fails if the term is unpublished?
Comment #14
amateescu CreditAttribution: amateescu for Pfizer, Inc. commented@joachim, I looked at all the views argument plugins provided by the node module (in
core/modules/node/src/Plugin/views/argument
and.../argument_default
) and I couldn't find anything related to the publishing status of a node. I guess that means there's nothing special to do for taxonomy terms as well?Comment #15
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedHowever, there is indeed something that we need to do related to the access for viewing taxonomy terms.
Comment #17
joachim CreditAttribution: joachim as a volunteer commented> @joachim, I looked at all the views argument plugins provided by the node module (in core/modules/node/src/Plugin/views/argument and .../argument_default) and I couldn't find anything related to the publishing status of a node. I guess that means there's nothing special to do for taxonomy terms as well?
I don't really follow... a term argument won't care about node status. But it *should* care about taxonomy status.
Here's how I see it:
Consider the taxonomy_term view that taxonomy module provides OOTB. This shows published nodes that are tagged with a term.
Suppose node N is tagged with term T.
- if I unpublish the node N, then it doesn't appear in the list of nodes for term T
- if I unpublish the term T, then the whole of the page at taxonomy/term/T should go. Because otherwise, it's possible to get to that URL and see the term's name, and the things it's tagged with. Which is pretty much what "seeing the term" means. And unpublishing it should mean you can't see it any more.
Comment #18
amateescu CreditAttribution: amateescu for Pfizer, Inc. commented@joachim, I was looking at node's views argument implementations *as an example*. And if node didn't have any special handling for *the node status field*, the conclusion was that taxonomy terms also don't need any special handling for *taxonomy term status field*.
And the scenario you describe is *exactly* what the patch from #15 provides.
Comment #19
joachim CreditAttribution: joachim as a volunteer commentedThis update is only changing views whose base is terms. So it won't change core's taxonomy_term view, for instance, as the base of that is nodes.
Am I looking at the wrong one?
Comment #20
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedThat's right, the post update function from this patch does not change core's taxonomy_term view. I don't get the question about looking at the wrong one though.
Comment #21
joachim CreditAttribution: joachim as a volunteer commented> That's right, the post update function from this patch does not change core's taxonomy_term view.
That's what I am trying to say.
> And the scenario you describe is *exactly* what the patch from #15 provides.
And so no, this does not happen.
If term 42 is 'Cats', and I unpublish it, then /taxonomy/term/42 will *still* show a title of 'Cats' and the nodes tagged with 'Cats'.
So, what has unpublishing actually done? The term's title is still visible, and it's still possible to see the relationships. Surely that's a security issue.
Comment #22
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedYes, it does. I already said that I tested it with the patch applied, have you?
Comment #23
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedI just looked at views' code and it's the
entity
argument validator which checks entity access in\Drupal\views\Plugin\views\argument_validator\Entity::validateEntity()
.Comment #24
joachim CreditAttribution: joachim as a volunteer commentedYes, you're right. Sorry for getting all mixed up -- running on insufficient sleep :(
Comment #25
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedNo need to.. I was the same:
Let's add proper test coverage for all this instead :)
Comment #26
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer commented@amateescu++
Went over the test, I think its pristine, only one nitpick
Hummm this sounds like we should open up a bug report and link to it here perhaps (not a blocker for this obviously).
Comment #27
amateescu CreditAttribution: amateescu for Pfizer, Inc. commented@Manuel Garcia, sure thing, opened #2983070: \Drupal\views\Plugin\views\argument_validator\Entity does not make the view return a 403 status code if the entity access check fails and linked it in our test.
Comment #28
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer commentedThanks @amateescu, even with a patch!
This looks RTBC to me...
Nit: do we need these two extra spaces before the links?
Comment #29
amateescu CreditAttribution: amateescu for Pfizer, Inc. commented@Manuel Garcia, yup, we need them because they're part of the
@todo
comment, and all the following lines need two extra spaces :)Comment #30
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer commentedAh of course, thanks @amateescu for clarifying :)
I think this is ready now, anything else left here besides carrying credit from #2880149: Convert taxonomy terms to be revisionable ?
Comment #31
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedNope, I think we're done..
Comment #32
timmillwoodLooks good!
Comment #34
chr.fritschLooks like we need to add
@group legacy
in the update tests since #2973791: Fix deprecation messages related to deprecated comment Action plugins was committed.Comment #35
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedRight, let's do that.
Comment #36
jibranCan we please also add a change notice for this?
Comment #37
jibranIgnore previous comment found https://www.drupal.org/node/2897789
Comment #38
chr.fritschBut it looks like we should split the CR as well
Comment #39
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedWrote a new CR for this issue (https://www.drupal.org/node/2985366) and updated https://www.drupal.org/node/2897789 to only mention the revisionability part.
Comment #40
jibranI have a question: if a term is published and its parent is unpublished would the user(with view access) be able to see the term? If the same user has the edit access and can't view unpublished parent then how would the parent widget look like or allow the user to change the parent?
Comment #41
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedThat's an interesting question :)
Since a term can have multiple parents, some of which could be published and others unpublished, and entity access does not offer any kind of context, I don't think we can restrict view access for individual terms based on the publishing status of its parent(s).
Note that the entity reference selection is able to do this, as can be seen in the patch, because it has the full taxonomy tree as a context to base its logic on.
Comment #43
Wim Leers👍
👍
I love it when a plan comes together 😀
I think this may be the first time that updating core REST is now slowing down @amateescu!
Comment #45
chr.fritschThis needs a reroll since #2987084: Convert EntityReferenceSelectionAccessTest to a kernel test was committed.
Comment #46
anavarreComment #47
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedRerolled.
Comment #48
plachThis is looking almost ready to go!
I think we should support the case where a
status
field already exists and skip the update in that case, as we did insystem_update_8501()
. We'll need also a similar change record.Can we also add an assertion to check the term can be unpublished as well?
Comment #49
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedThanks for reviewing! Fixed both points and I'll update the CR tomorrow.
Comment #50
jibranLatest interdiff looks good to me. #48 is addressed so back to RTBC.
Comment #59
plachSaving credits and crediting people from #2880149: Convert taxonomy terms to be revisionable.
Comment #62
plachSince this will allow us to test taxonomy with
Workspaces
in contrib via theMultiversion
module, it's valuable to go ahead and commit this patch even if the parent one does not make it into 8.6.Pushed 543b3f4 to 8.7.x and backported it as 8081895 to 8.6.x.
Thank you all, see you in #2880149: Convert taxonomy terms to be revisionable!
Comment #63
plachWe still need to update the CR with the instructions to write a manual DB update in case of name collisions.
Comment #64
plachComment #65
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedUpdated the CR to add instructions about manual updates in case taxonomy terms already have a
status
field, and published it.Thanks, everyone!
Comment #67
xjmIs there any disruption or important update information that needs to be mentioned in the release notes, or is it just a highlighted feature? If the latter the tag should be "8.6.0 highlights". Otherwiwse, if there is some important update information please document it here on the issue so the information can be included in the final release notes. Thanks!
Comment #68
jibranThat there is no UI yet and it has been worked on in #2899923: UI for publishing/unpublishing taxonomy terms
Comment #69
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedI think this can be just a highlight.
Comment #70
SlayJay CreditAttribution: SlayJay commentedJust FYI for anyone else that comes across this, I did *NOT* have any status fields on my taxonomy terms, but this change broke every entity reference field to terms on my site for non-admins. Took me about 2 weeks to track this down and figure out the cause.
Essentially the status field was created but with null values, basically preventing anyone without admin access from seeing them.
Since there's no UI yet, what I had to do was create a route that would loop through all terms and run ->setPublished() on them. Which was easy and quick (once I understood the issue) for me, but would be really hard for someone who's not a developer.
Comment #71
jedgar1mx CreditAttribution: jedgar1mx commentedShould i install #35 if i am running 8.6x?
Comment #72
amateescu CreditAttribution: amateescu for Pfizer, Inc. commented@jedgar1mx, you don't need to apply this patch manually, it is already included in core since 8.6.0.
Comment #73
jedgar1mx CreditAttribution: jedgar1mx commentedThanks for the clarification amateescu. I did notice that even though the taxonomy is
unpublished
, the taxonomy term page still accessible.Node
have an item in permissionView own unpublished content
. Shouldn'ttaxonomy
has the same ability to limit access to unpublished terms? ThanksComment #74
amateescu CreditAttribution: amateescu for Pfizer, Inc. commented@jedgar1mx, the taxonomy term page is a view, and this patch automatically updated all views and added a status filter to them. In your case, I would start investigating that view for custom modifications.
Comment #75
jedgar1mx CreditAttribution: jedgar1mx commentedOk, thanks again amateescu
Comment #76
cilefen CreditAttribution: cilefen as a volunteer commented