Contrib.social

Content moderation does not implement node grants and thus doesn't integrate its permissions with other grant implementing modules

Open on Drupal.org →
Created on 27 July 2020, over 4 years ago
Updated 29 October 2024, about 2 months ago

Problem/Motivation

Moderated content page could be empty even if the current user has access to "in-moderation" content. Based on my quick analysis, this happens because content_moderation only implements hook_entity_access() and not hook_node_access_records() and hook_node_grants(). Therefore if a user should have access to a moderated content but you have a module X enabled that implements node access hooks then the moderated content won't appear on the Moderated content page. This does not happen because module X works incorrectly. It happens because content_moderation should grant access to a moderated node when Views collects available moderated nodes for a user in query time, but it only does it in "runtime", in other words, when Views have already collected and loaded entities from the database.

Steps to reproduce

* Enable a module that implements hook_node_access_records()/hook_node_grants() for the "view" operation. (Like the node_test module.)
* Enable Content moderation and configure it for an access controlled node type.
* Create limited content creator/moderator roles/users.
* Create content with content creator (or admin) and save it in draft moderation state.
* Login with content moderator and check the "Moderated content" page. Expected result: the created node is visible. Actual behavior: The node is not visible, but by opening the node's path directly, the moderator has access.

Minimum role setup for Content Moderator (for the "Editorial" workflow shipped by the Standard profile):

langcode: en
status: true
dependencies: {  }
id: content_moderator
label: 'Content moderator'
weight: 3
is_admin: null
permissions:
  - 'access content overview'
  - 'access toolbar'
  - 'use editorial transition publish'
  - 'view any unpublished content'
  - 'view latest version'
  - 'view the administration theme'

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Active

Version

11.0 🔥

Component

content_moderation.module

Created by

🇭🇺Hungary mxr576 Hungary

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 months ago
    🇭🇺Hungary mxr576 Hungary
  • Comment about 2 months ago
    morvaim

    I couldn't replicate this problem. If the user has the View any unpublished content then all moderated content is listed regardless of `hook_node_access_records()` and `hook_node_grants()` implementations. Couldn't be that the problem here is that there is a "hidden" step during configuring Content moderation and the Content moderation view needs to be updated, because the Content revision: Moderation state filter needs to be configured and until that no content appears on the moderated content listing page?

  • Comment about 2 months ago
    morvaim

    Content revision: Moderation state needs to be set, after setting up a Workflow, see attached images.

  • Comment about 2 months ago
    morvaim
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024