Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Under certain configurations, a user can arrive at a node form and only find a Preview button, or if preview is disabled, no button at all.
Steps to reproduce
- Enable moderation on the Article content type
- Grant authenticated users the permission to create article content
- Log in as a normal authenticated user
- Try to add an article
Proposed resolution
Potential resolutions:
- Deny access to the add page if the user doesn't have access to the default moderation state
- Allow access to the add page, use a simple Save button, and then default the content to its default moderation state
Remaining tasks
Discuss potential resolution options, and implement.
User interface changes
Yes.
Comments
Comment #2
scookie CreditAttribution: scookie commentedNote: This can also occur on the Edit draft page when the user doesn't have access to any state transition for which the "from" state matches the current state of the node and the "to" state is enabled for the content type of the node. User only sees a Cancel button (when that button is enabled).
Comment #3
scookie CreditAttribution: scookie commentedAnother scenario in which this can occur is if no state transition has been added involving the default state for the content type.
Comment #4
pericxc CreditAttribution: pericxc commentedThis patch take fix this issue with #1 proposed resolution.
Comment #5
pericxc CreditAttribution: pericxc commentedComment #6
jhedstromThis should be implemented on behalf of the
workbench_moderation
module.It should be noted that by solving this via a node-specific hook, this solution will only be applicable to nodes. I haven't done further investigation to determine if there is a more general solution, but this should be fine for the time being.
Rather than directly load the setting from config, I think it would be preferable here to load the config entity (in this case it would be a
NodeTypeInterface
) via the entity type manager, and then thegetThirdPartySetting($module, $key, $default = NULL)
method could be used.Comment #7
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedI agree with @jhedstrom on his first point. I think it would be better to take the more generic approach using
hook_entity_create_access()
.Also, as @scookie mentioned in #2, we would also need the equivalent version of
hook_entity_access()
to cover edit access too.Comment #8
pericxc CreditAttribution: pericxc commentedComment #9
jhedstromParameter type is missing here.
Perhaps rename this method to
hasValidTransitions()
? It could then be used for the edit operation too (which still needs to be implemented).Is this change necessary?
This is still node-specific. Can the same be achieved more generally via the entity hook mentioned above?
These changes are complex enough that I think some tests would help ensure this situation doesn't happen again (those tests can also be used to demonstrate the current bug this is fixing).
Comment #10
pericxc CreditAttribution: pericxc commented@jhedstrom
#4 The reason I used hook_node_create_access() because hook_node_access() no longer fires for the 'create' operation: Issue.
#3 I think it is necessary in case an empty array for target states is returned. That is the fix for the bug scookie mentioned in #1.
The rest will be fixed.
Comment #11
pericxc CreditAttribution: pericxc commentedComment #12
jhedstromThis is looking really good.
@pericxc pointed out that there isn't really a generic entity access hook, so for the time being, this will need to be mostly node-specific.
I'm going to mark this RTBC to get a few more eyes on for review.
Comment #13
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedPutting back to "needs work" for a minute just to make sure I'm understanding things correctly about the generic entity access point. There are a couple generic entity access hooks available:
The current implementation uses the entity type specific variants of these hooks:
Wouldn't we want to use the more generic forms? Workbench Moderation is applicable to entity types beyond just nodes, right? Or am I missing something? :)
Comment #14
jhedstrom@kevin.dutra you're totally right. When I spoke with @pericxc whatever search I was using to find docs on those seemed to not find them.
So given that, I think the node-specific access hooks should be refactored, and one additional test should be added that uses a non-node entity type (EntityTest probably).
Comment #15
pericxc CreditAttribution: pericxc commented@jhedstrom and @kevin.dutra,
The module is using hook_node_access for the 'view' and 'update' operation, so it seemed logical to use hook_node_create_access to for 'create' operation.
Comment #16
jhedstromIndeed it is. So perhaps this patch can continue to utilize node-specific access, but we could open a follow-up to generalize this logic where possible. Note the
isPublished()
method utilized inworkbench_moderation_node_access()
, while used on several core entity types, does not appear to be part of a more general interface.Comment #17
pericxc CreditAttribution: pericxc commentedComment #18
pericxc CreditAttribution: pericxc commentedComment #22
pericxc CreditAttribution: pericxc commentedComment #23
pericxc CreditAttribution: pericxc commentedI was wondering if the title should be changed since the issue got extended to cover issues with hooks!
Comment #24
jhedstromNit: extra line breaks here.
This variable doesn't appear to be used.
Unless I'm missing something, this part isn't node specific at all, so could be moved to apply to all entities? If that is the case, the non-node test should test the update operation too.
Comment #25
pericxc CreditAttribution: pericxc commentedComment #26
jhedstromThis is looking really close.
Can you update the non-node test to check for the 'update' operation and expected access?
Comment #27
pericxc CreditAttribution: pericxc commentedComment #31
pericxc CreditAttribution: pericxc commentedComment #32
jhedstromThis looks good. I manually tested as well to confirm. I also like that it takes a further step toward non-node-specific entity moderation.
Comment #33
larowlanLooking good, some minor adjustments
Please use the injected version instead of the global singleton
nit: can you use a better variable name than $modinfo - eg $moderation_info
Comment #34
pericxc CreditAttribution: pericxc commentedComment #39
pericxc CreditAttribution: pericxc commentedComment #40
Namzhilma Zhambalova CreditAttribution: Namzhilma Zhambalova as a volunteer and at DrupalJedi commentedHello,
I had bug with https://www.drupal.org/files/issues/workbench_moderation_2738869_34.patch patch.
On site I have 2 CTs, Article has moderation, Page doesn't have.
User (not admin) has permission to create Page.
But when user goes to page node/add/page, he sees Access Denied page.
I changed https://www.drupal.org/files/issues/workbench_moderation_2738869_34.patch to fix the issue.