Problem/Motivation

When user saves node then Drupal should check if user has access to it and then decide if the new node title in the message should be link or not.

Message with link
Created message

User doesn't have access to it
Error

To recreate:

  1. Drupal 8.x-4.x installation
  2. Create a new user role
  3. Add a new user and give the user the newly created role
  4. Give the user permissions to create/edit the page node type
  5. Don't give the user the 'View published content' permission
  6. Login as the user and create a new content of the type page
  7. Notice that you get a success message with a link to the node while you are in the access denied page for that node.

Proposed resolution

Add a node access check.

CommentFileSizeAuthor
#24 links_without_access-2866619-24.patch1.67 KBvakulrai
#22 2866619-22.patch811 bytesnikitagupta
#19 2866619-19.patch799 bytesranjith_kumar_k_u
#3 remove-link-to-node-if-not-access_2866619_3.patch789 bytesshabana.navas
Screen Shot 2017-04-04 at 13.05.35.png8.47 KBhkirsman
Screen Shot 2017-04-04 at 13.04.01.png12.7 KBhkirsman
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

hkirsman created an issue. See original summary.

hkirsman’s picture

hkirsman CreditAttribution: hkirsman commented
Issue summary: View changes
shabana.navas’s picture

shabana.navas CreditAttribution: shabana.navas at Acro Commerce commented
Version: 8.2.x-dev » 8.4.x-dev
Issue summary: View changes
Status: Active » Needs review
FileSize
remove-link-to-node-if-not-access_2866619_3.patch789 bytes

Added node access check before outputting the node title as a link in the success message so that we're only displaying the link if the user has view access on node insert and update.

bander2’s picture

bander2 CreditAttribution: bander2 as a volunteer commented

I can reproduce this on 8.4.x because of this issue:

#1368610: It is confusing why creating a node requires users to have permission to "view published content"

bander2’s picture

bander2 CreditAttribution: bander2 as a volunteer commented

*can't not can

hkirsman’s picture

hkirsman CreditAttribution: hkirsman commented

Thank you @shabana.navas! #3 works!

Not sure how is #1368610 related? Also I was not able to find the code that the patch tries to fix at https://www.drupal.org/node/1368610#comment-10607206 Using 8.3.2

bander2’s picture

bander2 CreditAttribution: bander2 as a volunteer commented

#1368610 keeps me from reproducing the issue because:

  1. Drupal 8.x-4.x installation
  2. Create a new user role
  3. Add a new user and give the user the newly created role
  4. Give the user permissions to create/edit the page node type
  5. Don't give the user the 'View published content' permission
  6. Login as the user and create a new content of the type page. I am getting "Access Denied" because of #1368610. So I can't perform this step.
  7. Notice that you get a success message with a link to the node while you are in the access denied page for that node.

I'm not sure how to proceed. I am new to performing reviews. I don't want to give this RTBC unless I can reproduce the issue and confirm that the patch fixes it. I'm not sure if it is appropriate to fix #1368610 locally so I can reproduce this bug to move it along?

achandna’s picture

achandna CreditAttribution: achandna commented
Status: Needs review » Closed (cannot reproduce)

Can not reproduce this bug as per #7 and we get "access denied" if "View publish" permissions are not given.
If these permissions are required to create/edit a content. This issue won't get reproduced.

karan_kural’s picture

karan_kural CreditAttribution: karan_kural commented

.

hkirsman’s picture

hkirsman CreditAttribution: hkirsman commented

@achandna, this was not about the #7 but what was talked in the initial issue and what shabana.navas fixed in #3.

hkirsman’s picture

hkirsman CreditAttribution: hkirsman commented
Status: Closed (cannot reproduce) » Needs review

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

ranjith_kumar_k_u’s picture

ranjith_kumar_k_u CreditAttribution: ranjith_kumar_k_u at Zyxware Technologies commented
FileSize
2866619-19.patch799 bytes

Re-rolled for 9.2

Status: Needs review » Needs work

The last submitted patch, 19: 2866619-19.patch, failed testing. View results

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

nikitagupta’s picture

nikitagupta CreditAttribution: nikitagupta at Srijan | A Material+ Company for Drupal India Association commented
Status: Needs work » Needs review
FileSize
2866619-22.patch811 bytes

worked on test failure.

Status: Needs review » Needs work

The last submitted patch, 22: 2866619-22.patch, failed testing. View results

vakulrai’s picture

vakulrai CreditAttribution: vakulrai as a volunteer and at QED42 for QED42 commented
Status: Needs work » Needs review
FileSize
links_without_access-2866619-24.patch1.67 KB

Updating the failed tests for the logic implemented.

Status: Needs review » Needs work

The last submitted patch, 24: links_without_access-2866619-24.patch, failed testing. View results

Meenakshi_j’s picture

Meenakshi_j CreditAttribution: Meenakshi_j at Srijan | A Material+ Company for Drupal India Association commented
Status: Needs work » Postponed
Issue tags: +Needs issue summary update

Hello,

I am not able to reproduce the issue based on the steps given in the issue summary.

This I believe is because the summary relates to the older 8.x version which definitely needs an update so tagging for issue summary update.

hkirsman’s picture

hkirsman CreditAttribution: hkirsman commented

Tx all!

I think it might have been fixed because you can't create node without "View published content" thus you can't see the message. I tested it with 8.9.16

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone CreditAttribution: quietone commented
Status: Postponed » Closed (cannot reproduce)
Issue tags: -Needs issue summary update +Bug Smash Initiative

I agree with #4, #7, #26, and #27 that this is not reproducible. I tested this on 9.4.x and was not able to reproduce this error. I followed the steps given in the Issue Summary.

Therefore, closing as cannot reproduce. If you are experiencing this problem on a supported version of Drupal reopen the issue, by setting the status to 'Active', and provide complete steps to reproduce the issue (starting from "Install Drupal core").

Thanks!

Dubs’s picture

Dubs CreditAttribution: Dubs commented
Version: 9.5.x-dev » 10.1.x-dev
Status: Closed (cannot reproduce) » Needs review

Hi all,

I'm reopening the issue because there are valid use cases, for example, in the case of content moderation an anonymous or authenticated user could create some content and then not have permissions to view the content. The above patch works in this situation.

Logically, a link to view unpublished or draft content should not be provided as this will result in an access denied page for the visitor.

Thanks for reading, and hopefully this patch can find it's way into the code base.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs review » Needs work
Issue tags: +Needs issue summary update

Per #30 if this is going to be reopened steps to reproduce fully need to be included in issue summary.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.