Non-admins cannot save unpublished nodes with path alias

#17 works perfectly.. Thanks @FrancescoQ

I had the same issue in drupal core 10.2.4. I tried #7 and it saved my day. Thanks a lot.

Just ran into this and as written in https://www.drupal.org/project/drupal/issues/2809177#comment-15721147 📌 Introduce entity permission providers Needs work this is a really weird buggy situation which should be resolved in core soon. Blocked by ✨ Move permission "view any unpublished content" from Content Moderation to Node Postponed which is blocked by 📌 Introduce entity permission providers Needs work !

We are encountering this issue after updating to Drupal core 10.3.6.

We have disabled that certain roles can add content to menus and edit the path alias. This has been working before but after the update they cannot save nodes. It seems like the alias is not updating soon enough and it gives an error.

From the attached screenshots it's visible that the alias is correct but it's giving an error the original node ID alias.

If I give the Link to any page permission to the affected role it starts to work.

A small update related to our issue after updating to 10.3. The permission change for Link to any page did solve the problem but was probably not the original issue. While digging deeper I started to remove all core patches we had for 10.2 and finally arrived to removing the patch from issue #2557469: Route validation does not preserve request method, defaults to GET → and that seemed to fix the problem. It seems like that issue might be outdated and is already fixed in a separate issue.

🐛 hook_node_grants implementations lead to a 'URL Alias' validation error when saving translated nodes. Fixed should have fixed this, or should not? 10.2.3 is the first release with that fix.

Indeed. That problem should have fixed the issue so I am not 100% sure why it now surfaced for us with 10.3.6. Looking at issue [#2557469) and the patch #30 it seems to alter how the AccessAwareRouter works. Perhaps there was some change in in 10.3.x that caused the patch to work wrong.

Anyway I agree this issue needs summary and status update because it seems like 🐛 hook_node_grants implementations lead to a 'URL Alias' validation error when saving translated nodes. Fixed should have fixed the issue.

I made a few tests on several of our sites using different versions of Drupal (9.5.11, 10.2.0, 10.2.5, 10.2.7, and 10.3.6). All of them show the same error message when saving an unpublished node that has a URL alias. So I can confirm that 🐛 hook_node_grants implementations lead to a 'URL Alias' validation error when saving translated nodes. Fixed did not fix the issue.

I noticed that there is a second workaround: granting the "view any unpublished content" (provided by the module) also fixes the issue.

Updated the IS accordingly.

I can also confirm that we have View unpublished contrib module installed in our project. But still notable that the setup was working fine in 10.2.x branch. Verified that we were running 10.2.7 before updating to 10.3.6. And after that update non-admins started to receive that error message when saving translations. Removing the patch from issue #2557469: Route validation does not preserve request method, defaults to GET → solved the issue.

I think it should be fairly simple setting up a failing test in this issue as a next step. That should also eliminate questions like which contribs or other Drupal patches were contributed to this problem on this and that project.

Based on what I have read so far my Spidey-senses say that the issue could be related to hook_node_grants()/hook_node_access_records() because when an node access module (like view_unpublished) is enabled then access control logic applied to nodes changes "drastically" on a site. Nodes that the current user does not have (view) access gets filtered out from query results so Node::load()/Node::loadMultiple() does not even get those to load. The current repro steps also does not say anything about whether the given user had _view_ access to the unpublished node or not, it just say they had edit access, which is an other clue for me, especially since I dealing with node access related wtf for a long time ( ✨ Grant query level access to own unpublished nodes Active ).

Steps to reproduce
* Create a role with permissions to edit nodes.
* As a user with that role, create a new node with a path alias
* Edit the node again and remove the "Published" checkbox. Try to save.

At least in our case the user role does have the View unpublished content for the problematic content type. They do not have the permission View any unpublished content. They also have the edit permission so they are able to open the node edit route. I was able to open the unpublished node in view mode but the editing was blocked by the error.

Adding the needed tests for this seems like the logical next step.

> I was able to open the unpublished node in view mode, but attempting to edit it triggered the error.

This behavior is indeed possible because the entity parameter converter basically relies on `Node::load()` with the given node ID, rather than performing an entity query that would respect query-level access control (`node_access`). Specifically, entity access handler and even `hook_entity_access()` implementation can grant access to a node even if hook_node_grants()/hook_node_access_records() does not. In practice, permissions like "view own/any unpublished node" are evaluated earlier than node access checks. If access is granted at this stage, node acess won’t be called.

And I assume the path based access checking relies on entity query... but I haven't checked.

Manual steps to reproduce this issue with 11.1.0-dev

Module Configuration:
- The 'Content Moderation Workflows' module should not be enabled.
- The 'Workflow' module should be enabled.

Content Type Setup:
For the 'Article' content type, navigate "admin/structure/types/manage/article" to the "Publishing options". For the "Default options" ensure that 'Published' is unchecked.

Role Permissions:
- The 'Content editor' role should have the 'View published content' permission.
- The 'Content editor' role should have the 'Article: Edit own content' permission set.
- The 'Content editor' role should not have the 'View own unpublished content' permission set.

Steps and access :
- Create a user with the 'Content editor' role.
- Create an Article node with a custom URL alias.
- When accessing 'node/X' as a user with the 'Content editor' role, an 'Access denied' message should be displayed.
- When accessing 'node/X/edit' as a user with the 'Content editor' role, an edit form should be presented.
- When attempting to save the content of this node again, the user should receive the error message: "Either the path '/node/X' is invalid or you do not have access to it."

Additional Considerations:
Test user should not have additional permissions that could mask the issue: The 'Link to any page' and 'View any unpublished content' permissions should not be granted.

A functional test was implemented to address this issue:
https://git.drupalcode.org/issue/drupal-3167732/-/blob/3167732-non-admin...

It would be nice if someone could provide feedback on this failing test to confirm if continuing in this direction is recommended.

Thank you!

Only installing the Pathauto → module is removing this blocker and non-admin user can do the regular URL alias updates and creation. (But Core fix is recommended.)