- Issue created by @keszthelyi
- 🇧🇪Belgium keszthelyi Brussels
This would need tests and confirmation if the issue reported is valid. Until then, posting a patch that fixes the problem described above.
View access for revision log message field is handled in EntityAccessControlHandler::checkFieldAccess()
if ($entity && $isRevisionLogField) {
// The revision log should only be visible to those who can view the
// revisions OR edit the entity.
return $entity->access('view revision', $account, TRUE)
->orIf($entity->access('update', $account, TRUE));
}
According to the comment above the code, the log should be visible to those who have access to view revisions OR to those who can edit the entity. The orIf() used in the logic works as expected if one of the access checks returns allowed and the other neutral. However, if one of the access checks returns allowed and the other returns forbidden, the orIf() will return forbidden access result, which contradicts the intention expressed in the comment.
Normally, the update access check will return neutral if it's not allowed for the account to edit the entity. However, there can be cases when the result is forbidden. For example: content moderation module will return forbidden for an update operation, if the user doesn't have access to a valid transition for the entity's current moderation state.
1. Given Page content type, authenticated and administrator (all permissions granted) roles
2. Give permissions to authenticated to create, edit own, view published, view own unpublished Page CT and 'Page: View revisions' or 'View all revisions'
3. Either display the Revision log message field in Page default view mode, or create a view that lists pages with the revision log message field among the displayed fields
4. Enable content moderation module and setup a workflow for Page, with the following transitions:
- Create New Draft (Draft to Draft)
- Publish (Draft, Published to Published)
5. Give authenticated permission to the Create New Draft transition only (point being they should not have edit access for Published state)
6. Create a new Page (Draft) with authenticated user, add revision log message
7. At this point I should see the log message when visiting the page (or in the view, depending which option was chosen in 3.)
8. With admin user, publish the Page and add new revision log message
9. As authenticated, I can't view the revision log message anymore, although I have permission to view revisions (because content moderation now forbids me to edit the published node)
Note: can be reproduced with other content entity types also, not node specific.
The access check should be changed to always allow view access to the field if one of the two conditions returns allowed access result.
if ($entity && $isRevisionLogField) {
// The revision log should only be visible to those who can view the
// revisions OR edit the entity.
return AccessResult::allowedIf($entity->access('view revision', $account) || $entity->access('update', $account));
}
Active
11.0 🔥
This would need tests and confirmation if the issue reported is valid. Until then, posting a patch that fixes the problem described above.