Contrib.social

Document / Disable the ability to select viewing node entities.

Open on Drupal.org →
Created on 9 May 2023, over 1 year ago
Updated 10 May 2023, over 1 year ago

Problem/Motivation

Currently, whether or not we allow the user to view a node does not have any impact on the access (he will always be able to view the node). This is caused due to legacy code inside node. The user needs to have at least the "access content" permission to do anything on a node, as this permission is not overwritable and ignores other permissions set. E.g., a user has the "edit article" permission. But without also having the "access content" permission, he can not edit the article, even if he has the right permission for that.

The problem with this is, that "access content" allows the user to view any published nodes, hence the ability to select "view" explicitly is unnecessary, as the user is always allowed to "view" a node.

Note, that this is purely node specific.

Steps to reproduce

Proposed resolution

Remove the ability to select viewing node entities.

Remaining tasks

User interface changes

API changes

Data model changes

Feature request
Status

Postponed

Version

2.0

Component

Code

Created by

🇩🇪Germany Grevil

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Grevil
  • Comment over 1 year ago
    🇩🇪Germany Anybody Porta Westfalica

    @Grevil: Shouldn't remove access content permission work?

    I'd expect that the status is then NEUTRAL and can be set by our module. Or does that legacy code return DENIED explicitly?

    But yes, correct, I ran into this issue some weeks ago, if ACCESS permission is given anywhere, there's no way to revoke it anymore. So definitely access content must be false for tests.
    On top Node uses Grants etc. so it's absolutely possible we can't fix it here and should postpone this issue, but please try without the "access content" permission first (if you didn't already).

  • Comment over 1 year ago
    🇩🇪Germany Grevil

    @Anybody view node should not be selectable, that's all. So no need to postpone this issue.

  • Comment over 1 year ago
    🇩🇪Germany Grevil

    You can test it yourself:

    user permissions ['access content', 'edit article'] => /node/1/edit => access allowed

    user permissions ['edit article'] => /node/1/edit => access denied

    WITHOUT any modules activated outside the core modules.

  • Comment over 1 year ago
    🇩🇪Germany Anybody Porta Westfalica

    user permissions ['access content', 'edit article'] => /node/1/edit => access allowed

    user permissions ['edit article'] => /node/1/edit => access denied

    in the 2nd one you allowed "edit" using our field then?

  • Status changed to Postponed over 1 year ago
  • Comment over 1 year ago
    🇩🇪Germany Anybody Porta Westfalica

    Confirmed. So this extra case *might* be excluded by a special condition and documented, but for now I think we should postpone this, at least technically.

    If someone runs into this confusion, he can write a fix for this to be reviewed.

  • Comment over 1 year ago
    🇩🇪Germany Grevil

    @Anybody, no simply using the "edit article" permission provided by core.

    Basically, we can not access any content without "access content". Another example: We have an authenticated user, without the "access content" permission, who IS allowed to view a node (through our field), since he does NOT have the "access content" permission, permission is denied.

    But thinking this through, it might make more sense to just display a warning, that this special case exists for nodes?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024