Loss of access to unpublished nodes

Created on 23 December 2024, 1 day ago

Problem/Motivation

Users with "administer nodes" permission but not "view own unpublished content" can no longer view unpublished nodes. This is a regression in 11.1 caused by 🐛 Access cacheability is not correct when "view own unpublished content" is in use Needs work . It is causing simplenews tests to fail.

Setting as Major because it's a regression / BC break - if that's not right then please adjust.

Steps to reproduce

NB I have deduced this by reading the code. I don't actually have a 11.1 site to test against.

  1. Create an unpublished node.
  2. Create a user with "administer nodes" permission but not "view own unpublished content".
  3. Try to view the node with this user, and access is denied.

Proposed resolution

Bug is in NodeAccessControlHandler::checkViewAccess().
I suggest that before the check on 'view own unpublished content' we add something like this:

    if ($account->hasPermission('administer nodes')) {
      return AccessResult::allowed()->addCacheableDependency($cacheability);
    }

or we could put this if test around the next 3 if tests that return NULL.

    if (!$account->hasPermission('administer nodes')) {
    }

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Active

Version

11.1 🔥

Component

node system

Created by

🇬🇧United Kingdom adamps

Live updates comments and jobs are added and updated live.
  • Regression

    It restores functionality that was present in earlier versions.

Sign in to follow issues

Comments & Activities

  • Issue created by @adamps
  • 🇬🇧United Kingdom catch

    'administer nodes' doesn't grant access to unpublished nodes (it did used to a very long time ago), the catch-all permission for that is 'bypass node access' now. Can you try adjusting the test coverage to add that permission and see if it's enough?

Production build 0.71.5 2024