Hello, I found something extremely fishy while testing workflow_access. Here is the recipe to show the issue:

- Install a stock Drupal 6.4. Add workflow-6.x-1.0-rc1, enable workflow_access, rebuild permissions.
- Add a role called 'contributor'
- Add a user called 'user', add role 'contributor'
- In Permissions, add 'create page content' to 'contributor'
- Add a new workflow 'Work'.
- Assign 'Work' to Page (Post), save.
- Add one state called 'Editing'.
- Edit workflow. Enable transition from '(creation)' to 'Editing' for author.
- Workflow tab permission: author
- Roles who can view posts in the state 'Editing': author. Uncheck the rest. Save
- Now, log in as 'user'
- Create a new page. Save.
- The page is shown to user 'user'.

So far so good, 'user' is the author and so has permission to view the page according to the permissions set in the 'Editing' state.

Now:

- Create a new role 'strange'
- Have a look at the permissions in the 'Editing' state

'author' no longer has permission to view, which mysteriously moved to the 'strange' role. Let's make things worse.

- Delete the 'contributor' role.
- Delete 'strange'.
- Add a new role 'xx'.
- Go back to the workflow, and look at access control for 'Editing': 'author' regained by itself its 'view' permission.
- In Permissions, add 'create page content' to role 'xx'.
- Give the 'xx' role to 'user'.
- Log in as 'user' again and try to create a new page. When you save the page, despite the author having 'view' permissions, you get:

Access denied
Article uuuu has been created.
You are not authorized to access this page.

-- Table contents

What is going on? An inspection of the tables reveals the following:

- When creating the first page, this is the content of the tables:

mysql> select * from node_access;
+-----+-----+-----------------+------------+--------------+--------------+
| nid | gid | realm           | grant_view | grant_update | grant_delete |
+-----+-----+-----------------+------------+--------------+--------------+
|   1 |   3 | workflow_access |          1 |            0 |            0 | 
+-----+-----+-----------------+------------+--------------+--------------+
1 row in set (0.00 sec)

mysql> select * from workflow_access;
+-----+-----+------------+--------------+--------------+
| sid | rid | grant_view | grant_update | grant_delete |
+-----+-----+------------+--------------+--------------+
|   2 |   3 |          1 |            0 |            0 | 
|   2 |   0 |          0 |            0 |            0 | 
|   2 |   1 |          0 |            0 |            0 | 
|   2 |   2 |          0 |            0 |            0 | 
+-----+-----+------------+--------------+--------------+
4 rows in set (0.00 sec)

mysql> select * from role;
+-----+--------------------+
| rid | name               |
+-----+--------------------+
|   1 | anonymous user     | 
|   2 | authenticated user | 
|   3 | contributor        | 
+-----+--------------------+
3 rows in set (0.00 sec)

I don't know much about the inner workings of workflow_access, but the grant_view for rid '3' seems wrong to me. After creating the 'strange' role, the table becomes:

+-----+--------------------+
| rid | name               |
+-----+--------------------+
|   1 | anonymous user     | 
|   2 | authenticated user | 
|   3 | contributor        | 
|   4 | strange            | 
+-----+--------------------+

and the workflow_access table is unchanged, which explains why the privilege shifts unexpectedly. After the further changes, the tables become:

mysql> select * from role;
+-----+--------------------+
| rid | name               |
+-----+--------------------+
|   1 | anonymous user     | 
|   2 | authenticated user | 
|   5 | xx                 | 
+-----+--------------------+
3 rows in set (0.00 sec)

mysql> select * from workflow_access;
+-----+-----+------------+--------------+--------------+
| sid | rid | grant_view | grant_update | grant_delete |
+-----+-----+------------+--------------+--------------+
|   2 |   2 |          0 |            0 |            0 | 
|   2 |   1 |          0 |            0 |            0 | 
|   2 |   0 |          0 |            0 |            0 | 
|   2 |   3 |          1 |            0 |            0 | 
+-----+-----+------------+--------------+--------------+
4 rows in set (0.00 sec)

The situation becomes even more messy as more roles are added and removed; no amount of 'rebuild node permissions' will fix the situation.
It would be quite helpful if any of the people who know about workflow_access could give their opinion (and suggest a way for me to make the whole thing work as expected).
Thanks!

CommentFileSizeAuthor
#16 296086-workflow_access.patch1.66 KBckng
#10 296086-workflow_access.patch1.91 KBckng

Comments

jvandyk’s picture

jvandyk commented

Great work. Thanks for taking the time to dig into this.

workflow_access is not ready for production use.

It was written by Gabor, and I ported it to Drupal 6. There are several things I don't understand about it. Why is there a workflow_access_owner realm that does not seem to be used? Why are these lines there:

    // Allow view grants by default for anonymous and authenticated users, 
    // if no grants were set up earlier.
    if (!$count) {
      $view = array(DRUPAL_ANONYMOUS_RID, DRUPAL_AUTHENTICATED_RID);     
    }

Gabor just got married, and I haven't had bandwidth to dig in further. We really need tests written for workflow and workflow_access, too.

rismondo’s picture

rismondo commented

jvandyk,

I had a quick look at the module code. The lines that you quote are there just to give default access permissions to newly created states: each time a new state is added, nodes in that state will be viewable by anonymous and authenticated users by default.

I see that, in the module, 'author' permissions are handled by using a special role id of '-1'. The 'workflow_access_owner' seems to be just a marker to describe this special situation. At some point, while writing out data, the rids end up messed up, and they end up in the table as positive numbers (maybe shifted?). Unfortunately I am really short of time right now, but I might still try to look into that if I find the time. Hopefully Gabor will help us out when he's back.

Thanks, in the meantime.

rismondo’s picture

rismondo commented

ok, I think I got it. In the line:

  $rids = array_merge(user_roles(), array('-1' => t('author')));

the intent is adding a new array element that maps -1 to author. However:

user_roles(): Array
(
    [1] => anonymous user
    [2] => authenticated user
    [5] => xx
)
$rids: Array
(
    [0] => anonymous user
    [1] => authenticated user
    [2] => xx
    [3] => author
)

The keys in the result of array_merge() are entirely mangled. The fix is to replace that line with:

  $rids = user_roles();
  $rids['-1'] = t('author');

Once that is done, all starts working normally and the author permissions can be set as desired; the 'workflow_access_owner' also makes its apparence in the node_access table, as expected. The comment, later in the code:

      // TODO: this only works with workflow_access realm, not the workflow_access_owner realm?!

can be removed, as things now work as intended.
Rismondo

rismondo’s picture

rismondo commented
Status: Active » Reviewed & tested by the community
jvandyk’s picture

jvandyk commented
Status: Reviewed & tested by the community » Fixed

Thanks for getting to the bottom of this, rismondo.

rismondo’s picture

rismondo commented

You're welcome! :) Please don't forget to remove the additional (outdated) TODO comment as well...!

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

chicagotech’s picture

chicagotech commented
Version: 6.x-1.0-rc1 » 6.x-1.0-rc3
Status: Closed (fixed) » Active

Sorry, this bug does not appear to be fixed. I've applied new workflow to a node (that was previously working fine without workflow) with a "draft" state. The author has rights to view and edit the node in this state (although, not in "live" state). Toggling the view rights on and off changes access correctly, but the author user is not being given access to edit the node, even though edit rights are given to this user's role, which is author (it doesn't work either when the giving rights to "authenticated" user). The node is "published", authenticated users have rights to edit this node type, and the node is in "draft" state. Configuration includes Drupal 6.6, Workflow 6.x-1.0-rc3 and Rules 6.x-1.0-beta3.

Please help.

chicagotech’s picture

chicagotech commented
Status: Active » Closed (fixed)

Solved. Thanks anyway.

ckng’s picture

ckng
Primary language English
commented
Version: 6.x-1.0-rc3 » 5.x-2.3
Status: Closed (fixed) » Needs review
StatusFileSize
new 296086-workflow_access.patch1.91 KB

Reopen for D5, as fixes not committed for D5.

Attached patch that synced with D6 code.

jsmolina’s picture

jsmolina commented

I have a serious problem related with this issue:
When I enable workflow_access an error appears on my site: 'The content permissions need to be rebuilt, please visit this link'.
The rebuild permissions link doesn't work at all, it remains at 93% and never finishes.

I have tried with the 'dev' branch, the the problem is the same.

Any idea about that?

xamount’s picture

xamount
Primary language English
commented

I applied this patch for drupal 5.10 but I am still getting permissions problems with roles and workflow_access.module.

Not really a duplicate, but see: http://drupal.org/node/239375

xamount’s picture

xamount
Primary language English
commented

When I apply this patch for drupal version 5, I get this issue: #338138: Editing access control for workflow states does not save new values selected

ckng’s picture

ckng
Primary language English
commented

There is a good guide on node access to help you out
http://zivtech.com/blog/drupal-node-access-explained-0

As for #338138: Editing access control for workflow states does not save new values selected, I will check again. Note that my patch is for 5.x-2.3! Not the dev.

xamount’s picture

xamount
Primary language English
commented

Good read at that link, thanks. And yes, I applied the patch to 5.x-2.3.

ckng’s picture

ckng
Primary language English
commented
StatusFileSize
new 296086-workflow_access.patch1.66 KB

Fixed patch for D5 related to #338138: Editing access control for workflow states does not save new values selected

Bastlynn’s picture

Bastlynn commented
Status: Needs review » Closed (won't fix)

Hi,

With the release of Drupal 7, Drupal 5 is no longer receiving security updates, reviews, or development from many contributed modules. Since 5 is now considered a depreciated version, you really should seriously look into upgrading to Drupal 6 or 7. The newer versions of Drupal work better, have more support, and will be safer (literally! security patches!) for your website. We are currently working on a new release for Workflow to Drupal 7. In light of that, further support for Drupal 5 issues is infeasible at the moment. Please consider upgrading to Drupal 6 or 7 in the near future - you'll be glad you did.

- Bastlynn