I have an application that relies on a non-administrative role being able to view unpublished content created by other users for a specific type of node (currently upgrading it from D7 to D8). Since out of the box there is only a permission to "View own unpublished content" and no permission that might allow a role to view other's unpublished content a Google search on the ability to do this implied that I should enable "Content Moderation" and give the role the "View any unpublished content" permission. So I did this.
After doing so users in that role can view other's unpublished nodes directly like /node/<nid> but the behavior of JSON API is inconsistent WRT fetch vs query.
IF I have the uuid of such a node then users in that role can access it directly like:
/jsonapi/node/<bundle>/<uuid>
So that seems OK, BUT such nodes cannot be discovered by querying for them, it seems, in any fashion.
to verify this I tried simply using the nid and/or uuid as filter criteria like:
/jsonapi/node/?filter[drupal_internal__nid][value]=<nid>
OR
/jsonapi/node/?filter[id][value]=<uuid>
Both of those queries return the expected node when run as an administrator and both of them return EMPTY results when run as a user in my role with the "View any unpublished content" permission set. The same user who can directly fetch such a node directly by uuid.
I have yet to find a set of acceptable permissions that will allow a non-administrative role to discover these unpublished nodes via JSON API. The fact that the user does in fact have the ability to fetch them directly but cannot find them via query seems blatantly wrong and inconsistent.
Active
11.2 π₯
jsonapi.module
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.