- Issue created by @mxr576
View access is not granted to the author of the unpublished node on the entity query level. This is an issue in cases when available entity ids are covered first by an entity query and only passed to loadMultiple() afterward.
(Like when a filter call is fired via JSONAPI calls https://www.drupal.org/docs/core-modules-and-themes/core-modules/jsonapi... → )
If you would wonder why all test passes in \Drupal\Tests\node_view_permissions\Functional\NodeViewPermissionsTest then it is because it checks entity access and we know that even if entity query level access is not granted, entity access can grant access (because the user has "view own unpublished content' permission).
The /node/[nid] page also works for the very same reason.
A failing test case that can be added to \Drupal\Tests\node_view_permissions\Functional\NodeViewPermissionsTest
/**
* Test users with a "view own unpublished content" permission.
*
* Ensure that these users can view nodes of this type that they created.
*/
public function testViewOwnUnpublished() {
$user1 = $this->drupalCreateUser(['view own unpublished content']);
$user2 = $this->drupalCreateUser(['view own unpublished content']);
$node = $this->drupalCreateNode([
'type' => 'article',
'uid' => $user1->id(),
'status' => NodeInterface::NOT_PUBLISHED,
]);
$lookup = [
[$user1, Response::HTTP_OK],
[$user2, Response::HTTP_FORBIDDEN],
];
foreach ($lookup as $i) {
[$user, $expected] = $i;
$this->drupalLogin($user);
$this->drupalGet(Url::fromRoute('entity.node.canonical', [
'node' => $node->id(),
]));
$this->assertSession()->statusCodeEquals($expected);
}
$result = \Drupal::entityQuery('node')
->condition('nid', $node->id())
->addMetaData('account', $user1)
->accessCheck(TRUE)
->execute();
self::assertNotEmpty($result, 'Access is granted to the author of an unpublished node in the query level.');
}
Active
1.0
Code