Closed (fixed)
Project:
Revisioning
Version:
7.x-1.x-dev
Component:
Miscellaneous
Priority:
Normal
Category:
Bug report
Assigned:
Reporter:
Created:
8 Aug 2011 at 17:02 UTC
Updated:
18 Apr 2013 at 06:00 UTC
Jump to comment: Most recent file
Comments
Comment #1
yeha commentedI noticed something strange about when hook_revisionapi is invoked in _revisioning_unpublish_revision and _revisioning_publish_revision functions. The hook_revisionapi uses an old copy of the $node_revision without the updated status. I am not sure if this is by design or an issue. I had to set the status accordingly but I think there might be a better way to accomplish this.
Comment #2
c.d.a commentedI ran into the same issue… node_access entries for the revisioning nodes didn’t seem to be created or destroyed unless the node_access table is rebuilt via some other mechanism. node_access_acquire_grants() checks the status of the node and if it’s not published it never adds the realm ‘all’ grant. It looks like _revisioning_publish_revision() and _revisioning_unpublish_node() bypass node_save() and a call to node_access_acquire_grants() doesn’t work because the $node->status doesn’t reflect the published state.
Something like the following could be done… in _revisioning_publish_revision() and _revisioning_unpublish_node() to ensure the node_access entries are created/destroyed
I can provide a patch if there is interest.
Comment #3
c.d.a commentedHere's the patch.
Comment #4
c.d.a commentedSeems the issue still occurred when a new revision was created and unpublished (moderated). Updated patch to include setting the node status to the current_status in revisioning_node_update() which occurs just before node_save()’s call to node_access_acquire_grants().
Comment #5
rdeboerThanks cda!
Will check into Git asap.
Rik
Comment #6
c.d.a commentedFound a couple of small problems with the last patch... third time is a charm.
Comment #7
c.d.a commentedLast patch did not check that current_status existed, which caused a problem on non-revisioning nodes. This should be the final patch...
Comment #8
yeha commentedThe patch seems to work for me. The node_access are corresponding to the status of the revision/node.
Comment #9
nd987 commentedPatch from #7 worked great.
Comment #10
joevansteen commentedPatch from #7 is clearing up problems for me. Being used with Taxonomy Access Control.
Comment #11
rdeboerSee also the solution at #1282084: Revisioning may not be compatible with certain modules that use hook_node_access_records() (e.g. Domain Access), which may kill two birds with one stone, as joevansteen points out in that issue.
Comment #12
Mangostaniko commentedPatch #7 resolved my problem, where i had to manually update access control settings each time i published a revision.
Is this patch going to be merged with the module — this might be the most stupid question you ever heard, but i just want to be sure :)
Thank you for all the work on one of the greatest modules!
Comment #13
rdeboer@Mangostaniko
Yep as soon as I have time to do the next batch of Revisioning patches and fixes.
Rik
Comment #14
rdeboerWill do this before the end of 2011...
Comment #15
rdeboerCommitted to 7.x-1.x branch. Will be available in 7.x-1.4.
Credited to c.d.a: http://drupal.org/node/407994/committers.
Congrats on your first credited patch, Chris!
Comment #17
pbuyle commentedNote: The fix is not available in 7.x-1.3 (which only include a fix for https://drupal.org/node/1409268), I expect it will be available with 7.x-1.4.
Comment #18
rdeboerThat's right mongilo404!.
Comment #19
kevinquillen commentedThis patch appears to work but there is a problem with Taxonomy Access Control.
If I go in and change a TAC controlled term on a node, and save then publish it, then come back in as another user who does not have access to that term, I can still edit the node and its revisions. I should only be able to do this if I have permission through TAC (in node_access).
Comment #20
rdeboerBugger! Will investigate.
Comment #21
kevinquillen commentedI also want to note that I am using Revisioning, TAC, and Workflow in conjunction.
Revisioning should maintain versions of content.
TAC needs to control if a user can edit the content/revisions. (term assigned to roles)
Workflow needs to control the state of the content.
I am thinking maybe Workflow Access is in the way here, but just wanted to throw it out there. Since WA seems to always put grant_x to 1 in the database, it might be winning out over TAC.
Comment #22
rdeboerGlad you mentioned that Kevin,
Other modules that control access like TAC and Workflow Access certainly pack a punch in determining out what the resulting outcome will be....
Would you have any other details that may lead to a reproduceable test case?
Rik
Comment #23
kevinquillen commentedAfter disabling WA, behavior is a bit closer to what is needed, with one odd side effect:
A user cannot seem to edit older revisions, even if the term is in their Allowed TAC list- it seems access is dictated by the current published revision. Can I conclude then, that this is because node_access is not tracking revision access, but access to the master node?
Comment #24
rdeboerPretty much.
I think you'll continue to have these problems when using TAC.
Comment #25
kevinquillen commentedAhh, okay. That's a little confusing and counterintuitive to me for true collaborative editing, but, I guess thats the way it is.
Comment #26
joevansteen commentedKevin,
Have you looked at or tried the TAC Unpublished module? I was playing with TAC and Revisioning and it helped clear up some issues for me. I can't say they were the same issue you are having, but you might try it before you go elsewhere or give up. It extends TAc access control over unpublished nodes. My impression is that it should be merged with the TAC module over time. It is a bridge/patch for some problems in this area with the current module.
Comment #27
kevinquillen commentedOh, no, I am still using Revisioning/TAC/Workflow, but thought it was odd that Workflow/TAC access was not revisioned too, allowing multiple access to revisions, not just one access check. I can see where that would become huge, though.
Comment #28
joevansteen commentedTAC Unpublished is something to use IN ADDITION to TAC to provide access control via TAC for "unpublished" nodes. You might want to review the documentation there and the issue documentation that is linked from the main page. Just a thought. It might help you out.
Comment #29
victoriachan commentedHi,
I have been having problems with the change implemented by this patch, which is now committed to 7.x-1.4.
The problem occurs when I use the a rule (from Rules module) with the action 'Publish the most recent pending revision' to publish a new node when certain conditions are met.
When creating a node using drupal's node admin page, and triggering rules to publish the node, node_save() seems to be called after the _revisioning_publish_revision() has run the node_access_acquire_grants() function call. Hence, when the function is called in node_save() again, you'll get an integrity constraint violation error for duplicate entry inserting to node_access table because the row has already been inserted by the node_access_acquire_grants() function call in _revisioning_publish_revision() earlier.
This is only a problem with new nodes. In node_save(), when a node is new, the $delete argument is set to false in the node_access_acquire_grants() function call as it assumes there is no existing row in the node_access table for the node since the node is new. This is not a problem with existing nodes as node_access_acquire_grants() will just delete existing rows by default when the $delete argument is not explicitly set to false.
To replicate this, you'll need:
To trigger the error:
Create a new node using Drupal node admin interface and save it (that will trigger the rule).
Here is an example of the error I got:
Possible fix:
As this only affects new nodes, a quick fix would be to only call node_access_acquire_grants() in _revisioning_publish_revision() when the node is NOT new. When the node is newly created via the node/add/ page, the node_access_acquire_grants() will be called by node_save() anyway.
I have attached a patch for this (to be applied to Revisioning 7.x-1.4 with the earlier patch on this issue already committed), and will be great if someone can look at it and see if there's a better fix or if this fix has any side effects, as I have to admit that after investigating this problem for hours, my mind might not be in its clearest state at the moment!
Thanks!
Comment #30
rdeboerPatch applied. Better late than never. Thanks victoriachan!
Rik