Unauthorized users able to to view unpublished translations

Created on 25 July 2017, over 7 years ago
Updated 1 March 2023, almost 2 years ago

Under certain conditions, anonymous users are able to view unpublished translations, unauthorized users are able to view unpublished translations.

Prerequisites: Enable Content translation and have at least two languages enabled.

Steps to Reproduce:
1. Create a new node in the sites default language. Save, but keep unpublished.
2. Create a new translation in another language. Save, and also keep unpublished.
3. Publish one of the the translations, keeping the other one unpublished.
4. Attempt to view the unpublished translation as an anonymous user (or other role that does not have "view all unpublished content" permission).

Expected Result: I should get a 403 Access Denied Error.
Actual Result: I am able to view the unpublished translation..

It looks like the issue is that the hook_node_access_records() implementation is not passing in a language code when it sets the view grant.
If you omit this, Drupal core will just apply the grant to all languages on the node.

🐛 Bug report
Status

Needs work

Version

1.0

Component

Code

Created by

🇺🇸United States nplowman

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇫🇮Finland iSampo

    I can confirm that this still happens on 8.x-1.x-dev.

    To recap, here are all the steps to reproduce:
    - Install clean Drupal and Content Access module
    - drush si -y && drush en admin_toolbar admin_toolbar_tools language content_access content_translation -y && drush uli
    - Rebuild permissions due to Content Access installation (/admin/reports/status/rebuild)
    - Add a new language for the site (/admin/config/regional/language)
    - Allow translating the Article content type (/admin/structure/types/manage/article → Language settings → Enable translation)
    - Create a new Article in the default language (EN) and leave it published
    - Translate the Article in the newly created language (FI in this case) and don't publish it
    - Access to both EN and FI pages now return 403 for anonymous user even though the EN page can be seen published on the edit form
    - Edit the EN content and re-save it
    - Both contents are now visible for anonymous users and the unpublished FI translation shows the red "unpublished" background on its content

    Patch didn't apply cleanly against 8.x-1.x, so here's a reroll. This will now include the changes done in https://www.drupal.org/project/content_access/issues/3262813 as well.

    What happened before these changes:
    When saving a node, access records were by default created for all translations, because the isPublished() check was done only for the content being saved (not the translations). This meant that saving the published EN content added allowing access record for FI (or any other translations) as well.

    What should happen after the patch has been installed:
    When saving a node, access records are only created for the translations that are published.

    We'd still need to double-check that all this doesn't mess up things for other content access modules (like the quite popular View Unpublished ).

  • 🇳🇴Norway gisle Norway

    We always fix the latest version.

  • Thanks @gisle, and thank you @iSampo for the clear replication steps and new patch.

    I am going to be out of touch for a week or two, but if this hasn’t been wrapped up by the time I get back I will test your replication steps to see if I can reproduce the issue, then I can confirm/reroll the patch.

    Would be cool to move out of alpha :)

  • Open in Jenkins → Open on Drupal.org →
    Core: 10.0.7 + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    6 fail
  • Status changed to Needs review over 1 year ago
  • Open in Jenkins → Open on Drupal.org →
    Core: 10.0.7 + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    4 pass, 2 fail
  • 🇳🇴Norway gisle Norway

    Rerolled patch from comment #27 against HEAD.

  • The last submitted patch, 30: content_access-langcode-2897104-30.patch, failed testing. View results
    - codesniffer_fixes.patch Interdiff of automated coding standards fixes only.

  • Status changed to Needs work over 1 year ago
  • 🇳🇴Norway gisle Norway

    Having another go at it.

  • Open in Jenkins → Open on Drupal.org →
    Core: 10.0.7 + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    9 pass
  • Status changed to Needs review over 1 year ago
  • 🇳🇴Norway gisle Norway

    Automatic tests pass. We also need manual reviews by community members.

  • 🇳🇴Norway gisle Norway

    I spent some time today testing the patch supplied by iSampo in comment #27 (after rerolling it for the HEAD of 2.0.x-dev – i.e. the patch in comment #32), it the results are very encouraging 😁.

    I would like to see some more testing, but I plan to commit this to the repo soon.

    • iSampo authored ea0e36f7 on 2.0.x
      Issue #2897104 by iSampo, joey-santiago, gisle, nplowman: Fixed...
  • Status changed to Fixed over 1 year ago
  • 🇳🇴Norway gisle Norway

    It looks like it has been fixed. This has been committed to the latest snapshot of 2.0.x-dev.

  • Automatically closed - issue fixed for 2 weeks with no activity.

  • Status changed to Fixed over 1 year ago
  • 🇷🇴Romania ion.macaria Bucharest, 🇷🇴

    Guys patch is fine, but it missed something. When node view is not for all users it appears that error on translation:
    Drupal\Core\Entity\EntityStorageException: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '689868-7-content_access_roles-es' for key 'node_access.PRIMARY': INSERT INTO "node_access"
    To fix it content_access_get_type_grant function "$defaults" static variable should take in consideration node language. So this function should looks like:

    /**
     * Returns the default grants for a given node type.
     */
    function content_access_get_type_grant(NodeInterface $node) {
      // Cache per type default grants in a static array.
      static $defaults = [];
    
      $node_type = $node->getType();
    
      if (!isset($defaults[$node_type][$node->language()->getId()])) {
        $grants = [];
    
        // Only process the 'view' op as node_access() will take care of
        // edit and delete.
        foreach (content_access_get_settings('view', $node_type) as $rid) {
          $gid = content_access_get_role_gid($rid);
          $grant['grant_view'] = 1;
          $grants[] = content_access_proccess_grant($grant, $gid, $node);
        }
        $defaults[$node_type][$node->language()->getId()] = $grants;
      }
    
      // Care for the author grant.
      $grant = $grants = [];
      $settings = [
        'view' => content_access_get_settings('view', $node_type),
        'view_own' => content_access_get_settings('view_own', $node_type),
      ];
      $grant['grant_view'] = content_access_own_op($node, $settings['view'], $settings['view_own']);
      if ($grant['grant_view']) {
        $grant['realm'] = 'content_access_author';
        $grants = [
          'author' => content_access_proccess_grant($grant, $node->getOwnerId(), $node),
        ];
      }
    
      return $defaults[$node_type][$node->language()->getId()] + $grants;
    }
  • Status changed to Active over 1 year ago
  • 🇳🇴Norway gisle Norway

    Reopening, based on comment #39.

  • 🇨🇭Switzerland LpSolit

    I posted Ion Macaria's patch based on his comment 39 in issue 3364261. Please review.

  • Status changed to Needs review over 1 year ago
  • 🇨🇦Canada Liam Morland Ontario, CA 🇨🇦

    The fix for 🐛 Integrity constraint violation: 1062 Duplicate entry after upgrade module Fixed has recently been committed. Does this problem still exist?

  • Status changed to Fixed over 1 year ago
  • 🇬🇧United Kingdom steven jones

    @Liam Morland yeah, that's the exact same issue isn't it? So although @ion.macaria hasn't confirmed that it fixed their issue, given that the patch came from their suggested fix, I think we can be pretty sure it does.
    Also, others tested and confirmed that 🐛 Integrity constraint violation: 1062 Duplicate entry after upgrade module Fixed was fixed etc.

    Thus, I'm closing this ticket again.

  • Automatically closed - issue fixed for 2 weeks with no activity.

  • Status changed to Fixed about 1 month ago
Production build 0.71.5 2024