Content operation links do not respect transition access restrictions for already published content

Created on 4 April 2018, about 7 years ago

Updated 14 January 2025, 3 months ago

Problem/Motivation

When editing already published content and setting the moderation state to anything other than published will require content (dependent on how your workflow is configured) to go through the defined workflow again before the changes will eventually be published. Users are granted permissions to use specific transitions, and therefore do, or do not, have access to the content. The problem occurs when the moderation state is updated to a state where the user does not have the permission to perform any transition. When trying to access the edit page (f.e.) a access denied (404) page is shown to the user, but in the content overview there is still a edit button visible. This differs from new (unpublished) content where the edit button is not visible for the user.

Steps to reproduce:

Enable content moderation and create a workflow
Add a variety of states. In this example we use the states: "Draft", "Review", "Published", "Unpublished"
Add a variety of transitions. See attached screenshot for the states we used.
Assign the permissions to use defined transitions to a non admin role (f.e. editor). Make sure you do not assign all the permissions so you can reproduce access to content in a state where you do not have access to perform any transition
Create new content of the type where the workflow applies to (this can be done as super user to fasten the process)
Set the moderation state to a state where the editor does not have access to perform any transitions
Check that, as an editor, you do not have access to edit the content, and also do not see any edit button in the content overview. This should not be the case.
Publish the content (as super user)
Edit the content again and set it to the same state as before (either directly or by doing multiple transitions until you reach the according state)(can be done as super user to fasten the process)
Check that, as an editor, you do not have access to edit the content. Check the content overview page. You now see a edit button, but when clicking it you will be seeing a access denied page.

Proposed resolution

Content operation links should respect access of the latest revision, and therefore should never be visible if the user does not have the permission to perform such operation.

🐛 Bug report

Status

Postponed: needs info

Version

11.0 🔥

Component

content_moderation.module

Created by

🇳🇱Netherlands steven buteneers

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Bug Smash Initiative

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 3 months ago →
🇳🇿New Zealand quietone
Can someone confirm if this problem still exists?
Status changed to Closed: outdated 12 days ago3:03pm 14 April 2025
Comment 12 days ago →
🇺🇸United States smustgrave
Since there hasn't been a follow up to #11 going to close out. If still an issue please re-open.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024