Workflow State Form is exposed despite rights missing.

In workflow/workflow.module in function workflow_form_alter(&$form, &$form_state, $form_id) it says, in line 623

// Abort if user does not want to display workflow form on node editing form.
      if (!in_array('node', variable_get('workflow_' . $form['#node']->type, array('node')))) {
        return;
      }

Since this isn't user sensitive it will aways expose the form. I am not sure if it is really a bug. It is more an unexpected behavior - since the role Anonymous is not allowed to participate in workflow.

Nancy, thank you for getting back to me.

The permissions you mention are set correctly. Anonymous still sees this when the node creation form is exposed to Anon. This is because workflow_form_alter() does not use the permission check.

I don't have an insight if that would be code duplication, but maybe it is possible to change that line (workflow.module:625) to:

 if (!in_array('node', variable_get('workflow_' . $form['#node']->type, array('node'))) || !workflow_node_tab_access($form['#node'])) {
        return;
      }

Thank you for your time Nancy. I'll try and answer.

>I'm assuming that you have "Display workflow on" with "Post" checked and are seeing this during >editing.

That is correct.

>First, I can't imagine the utility of that, but the feature was there before I came here.
That quite simple tp explain: I have a field on that page which I expose to a higher level user. This user will fill that field (a review text for the node) and progress it through the workflow accordingly. Its just more comfortable to have it on one page.

>I tried to set up a test according to what you say above. Without the Tab Form permissions set in >the workflow, the anonymous user did not see the state change form during edit, even with the >"Show workflow state change on node view " permission. They could see the Workflow tab (next to >Edit), but all that was there was the history.

Just to clarify this: I am talking about the Vertical Tab on the bottom of the creation page. Additionally the node creation must be exposed to Anonymous.

>When I allowed anonymous users to transition to another state as well as the first one, then the >form showed up. I would expect this, because it was told to let anonymous users do that transition.

Actually if this node wants to participate in the workflow you must allow a transition from (creation) to a state - otherwise there is this error:

Please give the author permission to go from (creation) to at least one state!

This does not mean I want Anonymous to see the form. Which is additionally a bit pointless b/c they cannot do anything. The next state is fixed preselected.

>Even though the user is anonymous, the node has to go to the first state. Note that "author" still >refers to an anonymous user creating content.
Right - and I think thats the problem here. Why can't it just stay at "creation"?

Right, but it still shows the form - which is confusing to Anon.

Thank you again Nancy, for trying to understand my issue.

That's why "author" must be allowed to transition the node to a state, usually the first state.

Honestly, I don't find it confusing at all, neither the creation state nor that the author has to be assigned the right to transit the node.

What I do find I confusing that this also must expose this transition change to the UI. Anon cannot change the state to anything different in my case. Anon is not allowed to see the tab (Workflow tab permissions). Yet it is exposed as a vertical in the creation ui. I find this mind boggling.

Nancy - thank you for bearing with me here.

Yes I am seeing a different behavior.
It is the same in my case: The author has transition rights to only go from the "(creation)" state to the "New"(in my case its called "Pending") state.
I do see the vertical tab in any case. Since the author is only permitted to transit from "(creation)" to "Pending" this state is pre-selected and a radio button, so you cannot deselect it. The whole vertical tab does not go away unless I apply the change from #3.

And this makes perfect sense b/c the form "is factored out of workflow_form_alter()" as stated in the source code. There is no access check as far as I can tell in workflow_form_alter().
(This also causes weirdness if you set the the workflow fieldset to hidden in admin/structure/types/manage/*/display - nothing happens.)

Seeing a different behaviour from #4 even with the current dev code.

I created a simplytest to show this
http://se18a9fe9ba8b9ca.s3.simplytest.me/
..but it will probably long gone before anyone sees this. It however verified that there is no interaction with other modules I have installed.

Just to summarize, to check we are on the same train:

1. If a node-type is part of a workflow the author must have at least one degree of freedom to move the node from (creation) to another state. The author must have permission to do so.
2. Whether or not the author can select which transition is made through a UI should be independent of this.
   • This is possible, if in admin/config/workflow/workflow Content Type Mapping no option for Display Workflow Form on: is selected.
   • However It should be permission dependent as well
     • I am not seeing that behaviour
     • Nancy does

If the above is correct, how do you recommend we set up a test case around this to help you solve this?

Okay. my try this is what I do on simplytest.me:

1. simplytest.me
2. project name: workflow
3. Select branch: 7.x-1.x
4. Launch sandbox
5. Login
6. Modules Page
7. Enable: Workflow, Workflow access, Workflow actions and triggers, Workflow UI, Workflow Clean Up, Workflow Revert, Workflow rules, Workflow Search API, Workflow VBO, Workflow views
8. Configuration:Workflow
9. Add Workflow (Name: TESTFLOW A)
   • Leave presets as is, no permissions
   • Save
10. Create First state: STATE A ([x] active)
    • Save
11. Rebuild permissions
12. Configuration » Workflow » TESTFLOW A » Edit Transitions
    • From → (creation) To STATE A
    • Check: author,anonymous user, authenticated user,administrator
    • Save
13. Configuration » Workflow
14. For Basic Page
    • Assing Workflow "TESTFLOW A"
    • check [X] Post (Display Workflow form on:)
15. Use Shortcut "Add content" -> Basic Page
    • vertical Tab "TESTFLOW A" with preselected State A
    • (thats okay because I am logged in as user 1)
16. People
17. Permissions
18. Basic page: Create new content -> check "Anonymous User"
19. LogOut
20. go to: node/add/page
    • Note: - vertical Tab "TESTFLOW A" with preselected State A
    • imho this shouldn't be there b/c in admin/config/workflow/workflow/edit/1 there is no permission given.

Thank you Nancy, of course that patch does the trick.

Even though I still find it confusing that the "Workflow tab permissions" don't include the vertical tab I will give it a rest.

Again: Thank you for working on this and sorry for delaying your new version.

Best,
nhck

PS: Did you know dreditor comes with a simplytest.me button? So awesome!