Unpublished node should never be shown to a role permission to see unpublished

Created on 14 April 2025, 12 days ago

Problem/Motivation

Node unpublished are shown to user regarding the rule defined in the nodeaccess config. But unublished content not be displayed to users if they don't have a specific permission. That's a privilege for Editors and admins.

Steps to reproduce

On an unpublished node, go to the "node access" config, check the "view" checkbox and save.
Rebuild the permissions.
With a simple user Authenticated visit the unpublished node. I will see it but you should not...

Proposed resolution

Two solutions:

Add new grants on view, edit, delete for unpublished nodes
Just add a check on unpublished nodes iin the hook_node_access_records and return the "default" grants.

Remaining tasks

Patch
Tests

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

🇨🇭Switzerland redzeuf Geneva

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @redzeuf
Comment 12 days ago →
🇨🇭Switzerland redzeuf Geneva
Just adding a patch for the second solution. Globally without all the grant option.
It's enough IMO.
Comment 12 days ago →
🇨🇭Switzerland redzeuf Geneva
Previous patch was not applicable. Just reviewed the path to the module
Comment 12 days ago →
🇨🇭Switzerland redzeuf Geneva
My second patch was also wrong... Apologize

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024