Restrict access to unpublished revisions

Created on 28 August 2023, over 1 year ago
Updated 18 September 2023, over 1 year ago

Problem/Motivation

We would like to prevent admins from viewing un-published content that does not belong to their assigned section(s).

Proposed resolution

The code in workbench_access.module currently ignores all 'view' access requests (i.e. it returns 'neutral'). In our case, it makes sense to ignore unless the entity is an unpublished node revision.

This isn't pretty, but it seems to work, and it illustrates the point:

  if ($op === 'view label' || $account->hasPermission('bypass workbench access')) {
    // Return early.
    return AccessResult::neutral();
  }
  if ($op === 'view' && (!($entity instanceof Drupal\node\Entity\Node) || $entity->get('status')->value == '1')) {
    // Return early.
    return AccessResult::neutral();
  }
✨ Feature request
Status

Active

Version

2.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States bmelvin1

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @bmelvin1
  • πŸ‡ΊπŸ‡ΈUnited States agentrickard Georgia (US)

    WA is not designed to restrict View access, as you note here.

    I think this is an odd case that has come up since the adoption of content moderation more widely. Custom code can handle this case pretty easily.

    I would be in favor of adding this as an optional setting, I think, similar to how we handle unassigned content now.

    What I don't want to support is control of the View operation generally.

    If we add the feature, it would need tests.

Production build 0.71.5 2024