User not administrator can't change author "Access denied"

The Needs Review Queue Bot → tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.

Tested patch in #18 on 9.5.3 with VBO 4.2.3 and this fixed the issue for me! Thank you.

@msbtterswrth, thanks for reporting that the patch works. Setting an issue to RTBC requires other checks as well.

There have been changes to the patch and I don't see a code review. I too a very brief look at the patch and I saw commented out code and at least one todo. Those need to be addressed. This also needs an issue summary update, adding tag. Should the title be 'Allow non-administrator to change node author'?

I've rolled this against 10.1 and cleaned up the test + added a test for a node authored by an anon user. No interdiff since the last patch was rolled against the wrong directory. Only tests changed from that patch

I'm out of time today but can come back for the IS update.

Issue summary update still needs to happen

Updated the IS

Thanks @DanielVeza!

Just to make sure the test fail ran locally without the fix and got
Behat\Mink\Exception\ResponseTextException : The text "uh4anwa5 was applied to 1 item." was not found anywhere in the text of the current page.

Tests were green, but now the custom commands are failing. Setting back to NW.

Fixing the CS issues, restoring RTBC status pending the test run

+++ b/core/modules/node/src/Plugin/Action/AssignOwnerNode.php
@@ -134,10 +134,10 @@ public function submitConfigurationForm(array &$form, FormStateInterface $form_s
-      ->andIf($object->getOwner()->access('edit', $account, TRUE));
-
+      ->andIf($object->access('update', $newUser, TRUE));

Playing devil's advocate do we even need this at all?

The user's ability to edit the node has nothing to do with their ability to be the owner of the node.

You may want to change the author of a node for presentation purposes, even if the new author can not edit the node.

Isn't the only salient check is that the person running the action has access to edit the node?

Thoughts?

I would agree with that last statement

Isn't the only salient check is that the person running the action has access to edit the node?

Think that's all we care about

You may want to change the author of a node for presentation purposes, even if the new author can not edit the node.

I guess that's an option but sounds like a terrible approach haha. I'm assigning this to you but you can't do anything with it.

I think @larowlan makes a good point, adjusted the patch to remove the check if the new owner can update the content.

Thanks for the quick turnaround @DanielVeza!

Closed 🐛 Unable to change the author of content using views/action Closed: duplicate as a duplicate.

larowlan → credited lobodacyril → .

Crediting @lobodacyril from the duplicate

Thanks everyone for getting this to RTBC!

Nice to see and complete Issue Summary, it make it much easier to review. I changed the IS to use the action id, node_assign_owner_action, instead of the class name.

I skimmed through the comments and didn't find any comments that were not addressed. However, I do not see a full code review and no mention that the test has been reviewed.

I then looked at the patch. The fix has been discussed so I spent my time on the test. I am finding it difficult to follow what is happening in the test and why. I was thinking that the names of the users could be more descriptive. After a few reads I figured out what was going on, sort of. Let's make this easier for devs in the future and add comments.

I reworked the test so that all the setup is at the start and there blank lines between the test cases. There are also variable names changes and new comments.

Better title, I hope.

Made sure #49 still fails.

Behat\Mink\Exception\ResponseTextException : The text "h2peia6h was applied to 1 item." was not found anywhere in the text of the current page.

So test still tests so think the changes are good.

1. +++ b/core/modules/node/tests/src/Functional/NodeActionsConfigurationTest.php
   @@ -138,4 +138,126 @@ public function testAssignOwnerNodeActionAutocomplete() {
   +    // Create two actions. One to assign authorship to the page editor and the
   +    // other to assign authorship to the article editor.
   +    $this->drupalLogin($action_admin);
   +
   +    // Create action to assign ownership to $page_editor.
   +    $page_action_label = strtolower($this->randomMachineName());
   +    $edit = [
   +      'label' => $page_action_label,
   +      'id' => $page_action_label,
   +      'owner_uid' => $page_editor->id(),
   +    ];
   +    $this->drupalGet('admin/config/system/actions/add/node_assign_owner_action');
   +    $this->submitForm($edit, 'Save');
   +    $this->assertSession()->pageTextContains("The action has been successfully saved.");
   +
   +    $article_action_label = strtolower($this->randomMachineName());
   +    $edit = [
   +      'label' => $article_action_label,
   +      'id' => $article_action_label,
   +      'owner_uid' => $article_editor->id(),
   +    ];
   +    $this->drupalGet('admin/config/system/actions/add/node_assign_owner_action');
   +    $this->submitForm($edit, 'Save');
   +    $this->assertSession()->pageTextContains("The action has been successfully saved.");
   

   Sorry for not picking this up earlier.

   This test is about testing the action, not testing the action UI - so I think we can create this action using the API (i.e using Action::create()->save()) and make the test a bit more performant.

   It also means we don't need to create the admin user

2. +++ b/core/modules/node/tests/src/Functional/NodeActionsConfigurationTest.php
   @@ -138,4 +138,126 @@ public function testAssignOwnerNodeActionAutocomplete() {
   +    // Confirm the action work for a node with an anonymous author.
   

   work -> works

None of these patches will apply cleanly on 10.3.1.

The action plugin has been moved to Action module in Drupal 10.3, see https://www.drupal.org/node/3424506 →

this patch should apply to 10.3

that said, for Drupal 11 the patch needs to be ported to the then separated action module: https://www.drupal.org/project/action →

Moving this to the Action module

I'm surprised it hasn't been mentioned here, but changing a Node author is locked behind the administer nodes permission (see NodeAccessControlHandler::checkFieldAccess) so checking node edit access is not enough.