Currently, the content access permissions to see unpublished content in the "admin/content" overview page require the "Bypass content access control" permission--which doesn't make a great deal of sense, especially for sites with many roles.
Ideally, each content type should have a "View unpublished {node_type}" permission, wherein a role can view/see a node of type X, but not node of type Y (if unpublished).
I was a bit surprised to find no one had documented this before, but setting the "bypass content access control" permission seems a bit too powerful, or isn't an intuitive permission. Typically, I'd reserve something like this for a "Chief Editor" or "Site Admin" role, instead of a general "Content Manager".
Comments
Comment #1
traviscarden commentedI think this is a good idea. There's a similar, but less granular, proposed implementation of this for d8 core at #273595: Move permission "view any unpublished content" from Content Moderation to Node. The view_unpublished module seems to accomplish exactly this.
Comment #2
wjaspers commentedAha, thank you for pointing out that module. So many hidden gems on d.o.
Comment #3
traviscarden commentedLooks like #273595: Move permission "view any unpublished content" from Content Moderation to Node has expanded to include per content type permissions.