Hi,
Severals have been in trouble working with workflow module: #481532: Workflow Access grants not always respected
Workflow Access module defines grants on each node (view, update, delete). Everything is working perfectly as soon as the node is published ($node->status == 1).
But if the node isn't published ($node->status == 0) then Workflow Access defined grants are no longer applied. I found that this is prevent from happening in node.module node_access() function, on line 2035:
// If the module did not override the access rights, use those set in the
// node_access table.
if ($op != 'create' && $node->nid && $node->status) {
// retrieve modules specific grants from node_access table
}
So I checked code from the same function in current D7 source code, and it's doing this the right way, I think:
// If the module did not override the access rights, use those set in the
// node_access table.
if ($op != 'create' && $node->nid) {
$query = db_select('node_access');
$query->addExpression('COUNT(*)');
$query->condition('grant_' . $op, 1, '>=');
$nids = db_or()->condition('nid', $node->nid);
if ($node->status) {
$nids->condition('nid', 0);
}
$query->condition($nids);
$grants = db_or();
foreach (node_access_grants($op, $account) as $realm => $gids) {
foreach ($gids as $gid) {
$grants->condition(db_and()
->condition('gid', $gid)
->condition('realm', $realm)
);
}
}
if (count($grants) > 0 ) {
$query->condition($grants);
}
return $query
->execute()
->fetchField();
}
So I think we should apply the same behaviour for D6. I don't see any reason for preventing modules to apply specific grants if a node isn't published yet. This is really useful in editorial workflow stuff.
To be honest, there is maybe a reason why this is done this way, but I can't see why, maybe someone could tell me.
I attach a really small patch here, which removes this statement condition in case no one see a reason to keep it.
Thank you,
Jérémy
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | 542788-allow-node-access-unpublished-7.patch | 735 bytes | erikwebb |
| #5 | 542788-allow-node-access-unpublished-5.patch | 782 bytes | erikwebb |
| #3 | 542788-allow-node-access-unpublished.patch | 500 bytes | erikwebb |
| node_module_prevents_modules_grants.diff | 382 bytes | jchatard |
Comments
Comment #1
mas160 commentedI tried the solution you suggest on a test install and it seems to work correctly if the full granting process relies on Workflow, other privileges from node.module override those in Workflow.
By the way for how I intended to use this module this is correct.
Comment #2
vimaljoseph commentedThe patch you submitted works for me also. Will this patch get into the next release?
Comment #3
erikwebb commentedThis seems severe. Especially since it is deliberately remedied in D7, acknowledging a problem.
Under normal circumstances this would not matter, but when using any pre-published node access (like Workflow Access), this is crippling.
I've attached a properly named and formatted patch.
Comment #5
erikwebb commentedNew patch created via CVS.
Comment #7
erikwebb commentedComment #8
mas160 commented#5: 542788-allow-node-access-unpublished-5.patch queued for re-testing.
Comment #10
yang_yi_cn commentedThis issue is a duplicate of #72200: node_access() not checked on unpublished nodes
See the comments on http://drupal.org/node/72200#comment-423432 , the solution proposed here has a problem, it enables anonymous user to view any unpublished node that is in a node type not controlled by a node_access module.