Contrib.social

Access denied when view own unpublished revision, access check is not using revision author

Open on Drupal.org →
Created on 19 November 2019, about 5 years ago
Updated 21 April 2023, over 1 year ago

If you enable Content Moderation along with the Lightning Workflow transitions, and create a user with permission that can create and edit a specific content type but only allows them to View Latest Version and View Own Unpublished Content, they will be unable to view a new revision for content they did not originally create. Immediately after saving they will be presented with an Access Denied screen.

Here are the permissions said user has:

permissions:
  - 'access content'
  - 'access content overview'
  - 'access contextual links'
  - 'create and edit custom blocks'
  - 'create page content'
  - 'edit any page content'
  - 'use editorial transition create_new_draft'
  - 'use editorial transition review'
  - 'use moderation sidebar'
  - 'view latest version'
  - 'view own unpublished content'
  - 'view page revisions'

The issue appears to be due to the fact that the user cannot view the latest revision because the original content was not authored by them. The fix is to assign them the permission "View any unpublished content", but this is not desirable as they can then access unpublished content for bundles they technically should not have access to.

Looking through the code the offending line may be this:
File: core/modules/content_moderation/src/Access/LatestRevisionCheck.php
Lines: 63-64
Code:

$owner_access = AccessResult::allowedIfHasPermissions($account, ['view latest version', 'view own unpublished content']);
$owner_access = $owner_access->andIf((AccessResult::allowedIf($entity instanceof EntityOwnerInterface && ($entity->getOwnerId() == $account->id()))));

Alter this to be the following so the revision UID is also checked means that this method now returns TRUE for a newly created revision, but the Access Denied message is still returned.

$owner_access = AccessResult::allowedIfHasPermissions($account, ['view latest version', 'view own unpublished content']);
$owner_access = $owner_access->andIf((AccessResult::allowedIf($entity instanceof EntityOwnerInterface && ($entity->getOwnerId() == $account->id() || $entity->getRevisionUserId() == $account->id()))));

I expected the above change to be the only thing needed to get this working, but evidently not. Is this an actual issue or is there an alternative method to get this working without modifications to the code?

🐛 Bug report
Status

Active

Version

9.5

Component
Content moderation 

Last updated 24 days ago

Created by

🇬🇧United Kingdom SoulReceiver

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago
    🇺🇸United States RichardDavies Portland, Oregon

    I just encountered this exact same issue and I'm not sure "works as designed" is technically accurate or that the current behavior is the ideal desired behavior. As the OP explained, a user can view the published node and can create a new draft revision of the node. But when they click Save on the draft revision, they're taken to /[node_url]/latest which returns access denied.

    I completely understand and agree that the 'view own unpublished content' permission shouldn't give you access to all of the unpublished revisions if you didn't author those revisions, but it's currently denying access to an unpublished revision that you just authored! That doesn't make any sense and is confusing to a user to say in essence "Yes, I just let you successfully save a new revision, but sorry, you can't see it now."

    Interestingly, the user can actually view their revision by using the Revision tab and clicking on their revision link which points to /[node_url]/revisions/[revision_id]/view. So it seems like /latest should allow you to view the latest revision if you have the 'view own unpublished content' permission and you authored the revision, regardless of whether or not you were the original author of the node.

  • Comment almost 2 years ago
    🇺🇸United States RichardDavies Portland, Oregon

    @SoulReceiver I tried the change you suggested and seems to be working correctly now for me. The user can now view /latest when they authored the latest revision. I'm curious why you stated it didn't seem to be a complete fix or working as expected for you... can you elaborate on the problem you continued to experience after trying your fix?

  • Comment almost 2 years ago
    🇺🇸United States RichardDavies Portland, Oregon
  • Status changed to Active almost 2 years ago
  • Comment almost 2 years ago
    🇺🇸United States RichardDavies Portland, Oregon

    Based on our testing, the OP's suggested code change does indeed resolve this issue and we've been unable to identify any problems or side effects with the change. So I'm attaching a patch file for this fix and reopening this issue because if you can create a revision I feel like you should be able to view that revision.

  • Comment over 1 year ago
    🇮🇳India bhanu951

    @RichardDavies as you mentioned you encountered this issue recently I assume its on 10.x core. If not can you update the core version which you faced the issue?

  • Comment over 1 year ago
    🇺🇸United States RichardDavies Portland, Oregon

    I encountered this on 9.5.x

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024