View unpublished breaks access rules defined by Views

We had a similar problem. It turned out to be related to entity reference and some core functionality. Do you use entity reference?

https://www.drupal.org/node/1349080 -> #195

I came accross similar issues. You can try my patch #231 in above mentioned thread. See if that helps. There issues with multiple node_access query alters at the same time.

Did you ever find a solution to this?

I have a role which is supposed to be able to view and publish nodes of a certain content type. I have a custom admin view which allows you to search for nodes based on a custom "Long ID" field. When I install view_unpublished the role can view and publish nodes correctly, but they can't see any content from my custom admin view.

The access control on my custom admin view is permission based: Access the content overview page.

I had a similar problem. I had a content type I didn't want showing up to users but I was allowing editors to see the unpublished nodes. I did want to use some of the content of the nodes in my Views though, but problem was the Views were coming up empty...
Solution for me was to disable SQL rewriting of these Views (under Advanced > Query settings). You get this warning so use with care.

WARNING: Disabling SQL rewriting means that node access security is disabled. This may allow users to see data they should not be able to see if your view is misconfigured. Please use this option only if you understand and accept this security risk.

I came across the same problem reported. I have a view that does not use Published as a filter criteria. Unpublished nodes are displayed when logged in as an administrator but not for anonymous users. I've disabled the module and unpublished nodes appear for anonymous users.

Same problem.

The #8 trick seem works, not a ideal world but at the least it works. To be used with caution.

I'm using node_view_permissions, which doesn't work once view_unpublished is enabled.

Related issue: https://www.drupal.org/node/2425939

I had to revisit this for my client a year later. Workaround #8 did the trick.

Any news about this issue?

Exists also in Drupal 8 version, but disable SQL rewrite solve it

@parisek I think this is fixed in D8 version. Let me know if not

We found this problem in a Drupal 9 site that uses this module. Disabling this module fixes the problem (as well as "disable SQL rewrite").
The problem for us specifically is on a multilingual site: The original language has been unpublished but other translations are published and need to show up in the view. They don't unless we disable SQL rewrite.

@amaria, The issue also exists for us on Drupal 9.2.4, with View unpublished 8.x-1.0.

I can confirm this strange issue.
We are using a view as an Entity Reference selection handler and some of our content is not available in the view results even if they are published AND our user has the "view any unpublished content" permission.

We've recently had a similar issue where unpublished nodes disappeared from View results even with the View filtering by `Published = No`. It only affected anonymous users. This View was working fine just a couple of weeks ago, using Drupal 9.3.11.

This behavior started after updating to Drupal 9.3.12, and I believe it was caused by this particular security patch, related to node access: https://www.drupal.org/sa-core-2022-009.

The fix in our case was granting 'view unpublished content' permission on a specific content type for anonymous users. Since this would also allow anonymous users to access unpublished nodes URLs, we used Rabbit Hole to return 404s for any node in that particular content type, and set a bypass for authenticated users.

As for me, these lines of code break node grants access checks in view_unpublished_node_grants()

if ($account->hasPermission('access content')) {
  $grants['view_unpublished_published_content'] = [1];
}

The main purpose of the module to grant access to unpublished nodes if user has the right permission, but granding access to published content is not needed and breaks module logic

If I comment it, everything seems to work, I'm currently doing more tests.

So providing custom node grants does not work well with the changes from #2784887: Breaks with a multilingual site and translations with different published status

I'm going to provide a new patch here with the fix

So the issue is applicable if your content has at least one unpublished translation and other modules implement custom node grants to view content.

The fix in the MR should help to fix the issue without disabling node access check per view.

It's important to rebuild permissions after applying the patch.

Experiencing the same problem. Unfortunately MR_2 does not solve the problem after rebuilding the permissions. So I stick with disable "SQL rewrite" in the view for now.

#3 Did the trick for me, thx!

"Disabling SQL rewrite" partially worked for me, but one map section was still not showing up.

I had the same issue with domain_access. https://www.drupal.org/project/drupal/issues/3061782 fixed the problem for.