- Issue created by @catch
- 🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium
catch → credited kristiaanvandeneynde → .
- Merge request !11690Avoid cache redirect error in NodeAccessControlHandler. → (Open) created by catch
- 🇬🇧United Kingdom catch
I also think we need to consider whether this case actually ought to check node grants too e.g. if you're able to view your own unpublished nodes, then maybe there is some reason node grants would still want to deny that? Seems unlikely but theoretically possible.
- 🇧🇪Belgium kristiaanvandeneynde Antwerp, Belgium
Off the top of my head: Don't grants also not apply if an access hook already gave a definitive answer?
- 🇬🇧United Kingdom catch
In ::checkAccess(), if ::checkViewAccess() returns null, it falls back to node grants. The only situation in which that doesn't happen is when the user is allowed to view their own unpublished content.
In EntityAccessControlHandler::access(), it calls checkViewAccess as long as access hasn't been forbidden already.
So you can forbid access and prevent node access running (it can't undo a forbid), but you can't bypass it with a grant except for the view own unpublished permissions check.