Hello,
I found a bug due to View unpublished.
I needed a module to let a certain content type be viewed by anonymous.
This module let me do this by giving the right permission to anonymous user "My content type : View unpublished content"
The problem is that I have views set to display unpublished content type with a showcase style ... then displayed on certain pages as blocks.
Since I use View unpublished, i can tell that I can't display any unpublished content via views.
The rule access in views Ive set is "View published content". its cool because its the default permission. i want it to stay it like this. This way I can put my block wherever I want, and anonymous user can see its content because I choose in viwes to display Unpublished content. It means also that this content is still unreacheable for anonymous if accessed from its url.
Now to let this views' content be displayed to them, I have to give the m the right "View unpublished content", meaning also that they would have access to this content from its url.
For me its seems legit to let this content by displayed from a view, even if the permission isnt given from the permissions page
Issue fork view_unpublished-2390703
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #1
msizec CreditAttribution: msizec commentedanybody have this issue too ?
its not very difficult to reproduce ...
Tell me if you need more infos
Comment #2
ChristianAdamski CreditAttribution: ChristianAdamski commentedWe had a similar problem. It turned out to be related to entity reference and some core functionality. Do you use entity reference?
Comment #3
ChristianAdamski CreditAttribution: ChristianAdamski commentedhttps://www.drupal.org/node/1349080 -> #195
Comment #4
msizec CreditAttribution: msizec commentedThanks for your answer, but no Im not using EntityReference with this view...
It really seems to me be a conflict between the rights defined by view_unpublished and the right given within the view. The second one is "overwritten" by view_unpublished ... Could it be ?
Comment #5
ChristianAdamski CreditAttribution: ChristianAdamski commentedI came accross similar issues. You can try my patch #231 in above mentioned thread. See if that helps. There issues with multiple node_access query alters at the same time.
Comment #6
msizec CreditAttribution: msizec commentedStill the same with the #231 patch
cleared the cache
Comment #7
gocaps CreditAttribution: gocaps commentedDid you ever find a solution to this?
I have a role which is supposed to be able to view and publish nodes of a certain content type. I have a custom admin view which allows you to search for nodes based on a custom "Long ID" field. When I install view_unpublished the role can view and publish nodes correctly, but they can't see any content from my custom admin view.
The access control on my custom admin view is permission based: Access the content overview page.
Comment #8
jonodunnett CreditAttribution: jonodunnett as a volunteer commentedI had a similar problem. I had a content type I didn't want showing up to users but I was allowing editors to see the unpublished nodes. I did want to use some of the content of the nodes in my Views though, but problem was the Views were coming up empty...
Solution for me was to disable SQL rewriting of these Views (under Advanced > Query settings). You get this warning so use with care.
WARNING: Disabling SQL rewriting means that node access security is disabled. This may allow users to see data they should not be able to see if your view is misconfigured. Please use this option only if you understand and accept this security risk.
Comment #9
Christian DeLoach CreditAttribution: Christian DeLoach commentedI came across the same problem reported. I have a view that does not use Published as a filter criteria. Unpublished nodes are displayed when logged in as an administrator but not for anonymous users. I've disabled the module and unpublished nodes appear for anonymous users.
Comment #10
giupenni CreditAttribution: giupenni commentedSame problem.
Comment #11
giupenni CreditAttribution: giupenni commentedThe #8 trick seem works, not a ideal world but at the least it works. To be used with caution.
Comment #12
ashleywilson CreditAttribution: ashleywilson commentedI'm using node_view_permissions, which doesn't work once view_unpublished is enabled.
Related issue: https://www.drupal.org/node/2425939
Comment #13
gocaps CreditAttribution: gocaps commentedI had to revisit this for my client a year later. Workaround #8 did the trick.
Comment #14
giupenni CreditAttribution: giupenni commentedAny news about this issue?
Comment #15
parisekExists also in Drupal 8 version, but disable SQL rewrite solve it
Comment #16
amaria CreditAttribution: amaria commented@parisek I think this is fixed in D8 version. Let me know if not
Comment #17
aschiwi CreditAttribution: aschiwi at undpaul commentedWe found this problem in a Drupal 9 site that uses this module. Disabling this module fixes the problem (as well as "disable SQL rewrite").
The problem for us specifically is on a multilingual site: The original language has been unpublished but other translations are published and need to show up in the view. They don't unless we disable SQL rewrite.
Comment #18
samsylve CreditAttribution: samsylve commented@amaria, The issue also exists for us on Drupal 9.2.4, with View unpublished 8.x-1.0.
Comment #19
DuaelFrI can confirm this strange issue.
We are using a view as an Entity Reference selection handler and some of our content is not available in the view results even if they are published AND our user has the "view any unpublished content" permission.
Comment #20
bsfajardo CreditAttribution: bsfajardo commentedWe've recently had a similar issue where unpublished nodes disappeared from View results even with the View filtering by `Published = No`. It only affected anonymous users. This View was working fine just a couple of weeks ago, using Drupal 9.3.11.
This behavior started after updating to Drupal 9.3.12, and I believe it was caused by this particular security patch, related to node access: https://www.drupal.org/sa-core-2022-009.
The fix in our case was granting 'view unpublished content' permission on a specific content type for anonymous users. Since this would also allow anonymous users to access unpublished nodes URLs, we used Rabbit Hole to return 404s for any node in that particular content type, and set a bypass for authenticated users.
Comment #21
nginex CreditAttribution: nginex at Dropsolid for Dropsolid commentedAs for me, these lines of code break node grants access checks in view_unpublished_node_grants()
The main purpose of the module to grant access to unpublished nodes if user has the right permission, but granding access to published content is not needed and breaks module logic
If I comment it, everything seems to work, I'm currently doing more tests.
Comment #22
nginex CreditAttribution: nginex at Dropsolid for Dropsolid commentedSo providing custom node grants does not work well with the changes from #2784887: Breaks with a multilingual site and translations with different published status
I'm going to provide a new patch here with the fix
Comment #24
nginex CreditAttribution: nginex at Dropsolid for Dropsolid commentedSo the issue is applicable if your content has at least one unpublished translation and other modules implement custom node grants to view content.
The fix in the MR should help to fix the issue without disabling node access check per view.
It's important to rebuild permissions after applying the patch.
Comment #25
Piotr PakulskiExperiencing the same problem. Unfortunately MR_2 does not solve the problem after rebuilding the permissions. So I stick with disable "SQL rewrite" in the view for now.
Comment #26
Hydra CreditAttribution: Hydra as a volunteer and at erdfisch commented#3 Did the trick for me, thx!
Comment #27
jillsjfrancis CreditAttribution: jillsjfrancis as a volunteer and commented"Disabling SQL rewrite" partially worked for me, but one map section was still not showing up.
Comment #28
Wouter Waeytens CreditAttribution: Wouter Waeytens commentedI had the same issue with domain_access. https://www.drupal.org/project/drupal/issues/3061782 fixed the problem for.