Limit access to moderation form based on edit access

I think my real question here is: Under what conditions can someone perform a transition without being able to edit the node?

I'm not sure this makes sense as a separate module? It really seems expected behaviour if you've enabled workbench_moderation with workbench_access.

+++ b/workbench_access_state_transition/README.md
@@ -0,0 +1,3 @@
+Integrates workbench_access with workbench_moderation to limit a user's access to transition an entity between moderation states based on the constraints set by workbench_access. ¶

Nit: Whitespace at end of line.

Looks great, a couple of comments/questions below:

1. +++ b/workbench_access_state_transition/tests/src/Functional/WorkbenchAccessStateTransitionValidationTest.php
   @@ -0,0 +1,157 @@
   +    $field_storage = FieldStorageConfig::create([
   

   nit: Could we use the existing wba test trait to simplify this?

To be fair, that test trait was just committed. Yes, we should use it.

I have no problem adding this to the main module, but I do wonder if there is a bigger issue here.

State transitions need to respect editorial access controls. So this issue isn't limited to Workbench Access. Say you are using Organic Groups or similar, wouldn't the same problem occur?

If so, then we should fix this upstream at the Workbench Moderation / Content Moderation level.

I think the real problem is here in the StateTransitionValidation service:

  /**
   * Determines if a user is allowed to transition from one state to another.
   *
   * This method will also return FALSE if there is no transition between the
   * specified states at all.
   *
   * @param string $from
   *   The origin state machine name.
   * @param string $to
   *   The desetination state machine name.
   * @param \Drupal\Core\Session\AccountInterface $user
   *   The user to validate.
   *
   * @return bool
   *   TRUE if the given user may transition between those two states.
   */
  public function userMayTransition($from, $to, AccountInterface $user) {
    if ($transition = $this->getTransitionFromStates($from, $to)) {
      return $user->hasPermission('use ' . $transition->id() . ' transition');
    }
    return FALSE;
  }

That is not a sufficient permission check. It also needs to check entity access.

Unless that's a design decision by Workbench Moderation, in which case, this would be By Design.

How about this

1. We add a new permission 'moderate entities that cannot edit'
2. We change \Drupal\workbench_moderation\EntityOperations::entityView to include #access on the render array like so:
   

   '#access' => $this->currentUser()->hasPermission('moderate entities that cannot edit') || $entity->access('update'),
   

   - would require injecting the current_user service into EntityOperations, but no biggie

Because I think that's the only way you can change the moderation state without edit access.

would require a change notice/release notes as its a change in behaviour

Looking good

1. +++ b/src/EntityOperations.php
   @@ -46,6 +47,13 @@ class EntityOperations {
   +   * @var \Drupal\Core\Session\AccountProxyInterface
   
   @@ -58,13 +66,16 @@ class EntityOperations {
   +   * @param \Drupal\Core\Session\AccountProxyInterface $current_user
   

   Should this be AccountInterface? not the proxy?

2. +++ b/workbench_moderation.permissions.yml
   @@ -20,5 +20,9 @@ view latest version:
   +  title: Moderate entities that cannot edit
   

   I think we need to work on the title, not sure what we should make it though

Moderate entities that cannot edit

how about 'Moderate without edit access' then the description to clarify what it means?

Ok, we just need a change record here.

Thanks @acbramley!