Problem/Motivation

By default checkRevisionViewAccess validates entity access for latest revision only. But $this->latestRevisionCheck->access itself verifies whether there is a if ($this->moderationInfo->hasPendingRevision($entity)) {. Similar check should be done by jsonapi before latestRevisionCheck. Without checking hasPendingRevision error message "No pending revision for moderated entity." appears which is not correct.

How to reproduce

  1. Setup 2 languages
  2. Enable json:api module
  3. Enable default Editorial content moderation workflow
  4. Create node with default lang and publish it
  5. Translate node with another lang and remain it in draft
  6. Make a request to retrieve original node with rel:working-copy:
    http://drupal.local:8080/en/jsonapi/node/{node_type}/{node_uuid}?&resourceVersion=rel%3Aworking-copy

Proposed resolution

Add hasPendingRevision condition to core/modules/jsonapi/src/Access/EntityAccessChecker.php

Remaining tasks

Make the code change

User interface changes

API changes

CommentFileSizeAuthor
#6 3137759-6.patch3.69 KBdhirendra.mishra
#2 3137759-2.patch3.55 KBdmitry.korhov

Comments

dmitry.korhov created an issue. See original summary.

dmitry.korhov’s picture

dmitry.korhov
Primary language English
Location Warsaw, Poland
commented
Status: Active » Needs review
StatusFileSize
new 3137759-2.patch3.55 KB
dmitry.korhov’s picture

dmitry.korhov
Primary language English
Location Warsaw, Poland
commented
Issue summary: View changes

Version: 8.9.0-beta3 » 8.9.x-dev

Core issues are now filed against the dev versions where changes will be made. Document the specific release you are using in your issue comment. More information about choosing a version.

bbrala’s picture

bbrala
Location Netherlands
commented
Version: 8.9.x-dev » 9.3.x-dev
Status: Needs review » Needs work

Thanks for the contribution! It's been a while, i'm slowly working through the queue, sorry about that.

+++ b/core/modules/jsonapi/src/Access/EntityAccessChecker.php
@@ -263,7 +290,7 @@ protected function checkRevisionViewAccess(EntityInterface $entity, AccountInter
+    if ($entity_type->getLinkTemplate('latest-version') && $entity->isLatestRevision() && isset($this->latestRevisionCheck) && $this->moderationInformation->hasPendingRevision($entity)) {

This will fail if content_moderation<code> is not available since the property will be <code>NULL.

Also, this does need tests and preferably a testonly patch that shows the failure. Hopefully you are able to provide that?

I changed the target version to something more recent, since 8.9 is in security only mode right now.

dhirendra.mishra’s picture

dhirendra.mishra commented
StatusFileSize
new 3137759-6.patch3.69 KB

Here uploading the patch for 9.3.x as it was not getting applied automatically to 9.3.x..So manually created it.
#5 NW is still pending.....

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.