Contrib.social

Don't use link in message after node save if user doesn't have permissions

Open on Drupal.org →
Created on 4 April 2017, about 8 years ago
Updated 1 September 2023, over 1 year ago

Problem/Motivation

When user saves node then Drupal should check if user has access to it and then decide if the new node title in the message should be link or not.

Message with link

User doesn't have access to it

To recreate:

  1. Drupal 8.x-4.x installation
  2. Create a new user role
  3. Add a new user and give the user the newly created role
  4. Give the user permissions to create/edit the page node type
  5. Don't give the user the 'View published content' permission
  6. Login as the user and create a new content of the type page
  7. Notice that you get a success message with a link to the node while you are in the access denied page for that node.

Proposed resolution

Add a node access check.

🐛 Bug report
Status

Needs review

Version

10.1

Component
Node system 

Last updated about 1 hour ago

No maintainer
Created by

🇪🇪Estonia hkirsman

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇬🇧United Kingdom Dubs

    Hi all,

    I'm reopening the issue because there are valid use cases, for example, in the case of content moderation an anonymous or authenticated user could create some content and then not have permissions to view the content. The above patch works in this situation.

    Logically, a link to view unpublished or draft content should not be provided as this will result in an access denied page for the visitor.

    Thanks for reading, and hopefully this patch can find it's way into the code base.

  • Status changed to Needs work over 1 year ago
  • Comment over 1 year ago
    🇺🇸United States smustgrave

    Per #30 if this is going to be reopened steps to reproduce fully need to be included in issue summary.

  • First commit to issue fork.
  • Merge request !8877Issue #2866619 by kksandr: added link access check to the node form → (Open) created by Unnamed author
  • Pipeline finished with Success
    10 months ago
    Total: 462s
    #231237
  • Status changed to Needs review 10 months ago
  • Comment 10 months ago
    kksandr

    I updated the steps to reproduce the issue according to the updated test and opened a merge request with the fix.

  • Status changed to Needs work 10 months ago
  • Comment 10 months ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • First commit to issue fork.
  • Pipeline finished with Canceled
    about 1 month ago
    Total: 573s
    #461142
  • Comment about 1 month ago
    🇦🇺Australia acbramley

    Rebased and slightly simplified the solution. Also expanded the test comment a bit.

  • Pipeline finished with Success
    about 1 month ago
    Total: 342s
    #461149
  • Comment 18 days ago
    🇮🇳India sagarmohite0031

    Hello,
    Tested and verified on drupal 11.
    MR applied successfully and its working as expected.

    Steps to reproduce

    Drupal 11.x installation.
    Create content of type test.
    Make content type test unpublished by default.
    Create a role test_creator and give it access to create content of type test.
    Create a user qa with the role test_creator.
    Log in as user qa.
    Create a node of type test.
    After saving, you will see a message about the successful creation of a new node with a link to the new node, but when you go to it you will receive a 403 error.

    Check Attachments-

  • Comment 2 days ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • Comment 1 day ago
    🇦🇺Australia acbramley
  • Pipeline finished with Success
    1 day ago
    Total: 573s
    #491767
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024