Contrib.social

Loss of access to unpublished nodes

Open on Drupal.org →
Created on 23 December 2024, about 1 month ago

Problem/Motivation

Users with "administer nodes" permission but not "view own unpublished content" can no longer view unpublished nodes. This is a regression in 11.1 caused by 🐛 Access cacheability is not correct when "view own unpublished content" is in use Needs work . It is causing simplenews tests to fail.

Setting as Major because it's a regression / BC break - if that's not right then please adjust.

Steps to reproduce

NB I have deduced this by reading the code. I don't actually have a 11.1 site to test against.

  1. Create an unpublished node.
  2. Create a user with "administer nodes" permission but not "view own unpublished content".
  3. Try to view the node with this user, and access is denied.

Proposed resolution

Bug is in NodeAccessControlHandler::checkViewAccess().
I suggest that before the check on 'view own unpublished content' we add something like this:

    if ($account->hasPermission('administer nodes')) {
      return AccessResult::allowed()->addCacheableDependency($cacheability);
    }

or we could put this if test around the next 3 if tests that return NULL.

    if (!$account->hasPermission('administer nodes')) {
    }

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Active

Version

11.1 🔥

Component

node system

Created by

🇬🇧United Kingdom adamps

Live updates comments and jobs are added and updated live.
  • Regression

    It restores functionality that was present in earlier versions.

Sign in to follow issues

Comments & Activities

  • Issue created by @adamps
  • Comment about 1 month ago
    🇬🇧United Kingdom catch

    'administer nodes' doesn't grant access to unpublished nodes (it did used to a very long time ago), the catch-all permission for that is 'bypass node access' now. Can you try adjusting the test coverage to add that permission and see if it's enough?

  • Comment 7 days ago
    🇬🇧United Kingdom adamps

    Thanks for the reply. Yes I was already aware that I can fix the test in the way you suggest. However I originally raised the issue because something has changed in the node access (the tests was working before and now they fail) and it seemed potentially important.

    However what you wrote about the different permissions is of course correct. I did some more investigation and it seems that the test user never had access to view the unpublished node. What has changed is:

    • before: there was a link to view the node which would fail if clicked
    • now: Drupal views has somehow spotted that the node isn't accessible and doesn't even put a link at all which causes the test to fail as it specifically looks for the a tag

    The new behaviour seems more correct. Anyway it's a pretty strange case, because the test user has 'administer nodes' permission but not 'access content'. It seems like I can just close this now.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024