It would be cool if the advanced filter would respect "view own unpublished content" permission

CommentFileSizeAuthor
#17 views_unpublished.patch1.9 KBts145nera
#16 views_unpublished.patch1.9 KBts145nera
#13 views_unpublished.patch2.06 KBts145nera
#8 views_unpublished.patch1.85 KBts145nera
views-status.patch1.63 KBdawehner

Comments

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs review » Fixed

tested and commited.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

troybthompson’s picture

troybthompson commented

I'm having a problem where the views aren't respecting the "view own unpublished content" permission. I noticed the lines in this patch have been changed. Changing them back doesn't solve the issue. Are you also having this problem with the latest dev? Or is this a different problem?

jboyd30’s picture

jboyd30 commented

I'm having similar issues.

I've got a view that's supposed to display all of the current authenticated user's unpublished images, but it returns no results despite the fact that "view own unpublished content" is enabled for that user role. It works fine for administrators, though.

troybthompson’s picture

troybthompson commented
Status: Closed (fixed) » Active

Ok, it looks like this needs to be active again then. If there's anything I can do to help test, please let me know.

merlinofchaos’s picture

merlinofchaos commented

Are you sure you're using the right filter? You need to use the published or admin, not just published.

merlinofchaos’s picture

merlinofchaos commented
Status: Active » Postponed (maintainer needs more info)
ts145nera’s picture

ts145nera commented
Priority: Normal » Major
StatusFileSize
new views_unpublished.patch1.85 KB

I try to add "view unpublished $type content" at views when the user has Published or Admin filter.
Needs Review

Need patch core to add unpublished grant: http://drupal.org/node/273595

ts145nera’s picture

ts145nera commented
Status: Postponed (maintainer needs more info) » Needs review
sharonknieper’s picture

sharonknieper commented

subscribe

justmagicmaria’s picture

justmagicmaria commented

subscribe (for now I have worked around this by using the View Unpublished module and giving users permission 'View any unpublished story content')

roam2345’s picture

roam2345 commented
Status: Needs review » Needs work 
+++ b/modules/views/modules/node.views.inc	Fri Jul 01 14:04:32 2011 +0200
@@ -666,10 +666,27 @@
+function node_views_query_substitutions($view) {
+		
+	if(isset($view->where)){
+		$conditions = $view->where[0]['conditions'];
+		foreach ($conditions as $condition){
+			if($condition['field'] == "node.type"){
+				$type = $condition['value'][0];
+			}
+		}	¶
+	}	¶
+	
+	if(isset($type)){
+		$unpublished_type = user_access("view unpublished " . $type . " content");
+	}else{
+		$unpublished_type = 0;
+	}
+
   return array(
     '***ADMINISTER_NODES***' => intval(user_access('administer nodes')),
     '***VIEW_OWN_UNPUBLISHED_NODES***' => intval(user_access('view own unpublished content')),
+  	'***VIEW_UNPUBLISHED_NODES***' => intval($unpublished_type),

trailing white space in patch please see http://drupal.org/coding-standards#indenting

Powered by Dreditor.

ts145nera’s picture

ts145nera commented
StatusFileSize
new views_unpublished.patch2.06 KB

I'm sorry.
I clean my patch. Needs review.
Thank you

ts145nera’s picture

ts145nera commented
Status: Needs work » Needs review
dawehner’s picture

dawehner
Primary language German
commented
Status: Needs review » Needs work 
+++ b/modules/views/modules/node.views.inc	Mon Jul 11 09:03:10 2011 +0200
@@ -666,11 +666,26 @@
+function node_views_query_substitutions($view) {	
+	if(isset($view->where)){
+		$conditions = $view->where[0]['conditions'];
+		foreach ($conditions as $condition){
+			if($condition['field'] == "node.type"){
+				$type = $condition['value'][0];
+			}
+		}
+	}
+	if(isset($type)){
+		$unpublished_type = user_access("view unpublished " . $type . " content");
+	}
+	else{
+		$unpublished_type = 0;
+	}
+	return array(
+		'***ADMINISTER_NODES***' => intval(user_access('administer nodes')),
+		'***VIEW_OWN_UNPUBLISHED_NODES***' => intval(user_access('view own unpublished content')),
+		'***VIEW_UNPUBLISHED_NODES***' => intval($unpublished_type),

please don't use tabs ORwhitespaces at the end of lines... in generell look at the code style guidelines of drupal, here is also if() instead of if ()

ts145nera’s picture

ts145nera commented
Status: Needs work » Needs review
StatusFileSize
new views_unpublished.patch1.9 KB

This is wrong

ts145nera’s picture

ts145nera commented
StatusFileSize
new views_unpublished.patch1.9 KB

I'm really sorry.
Please review this.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs review » Needs work 
+++ b/modules/views/modules/node.views.inc	Thu Jul 14 09:32:11 2011 +0200
@@ -668,10 +668,25 @@
+      if($condition['field'] == "node.type"){

The problem with this check is that you can't use this on views which uses relationships/nodes.

Perhaps you should better check in $view->filter

I'm sorry, updated patch.

dawehner’s picture

dawehner
Primary language German
commented
Status: Needs work » Postponed

just had some time to look at the issue in more detail

This feature is NOT part of drupal core yet, so it shouldn't be implemented yet in views, as this is d8 material.

We could somehow postpone the feature request.

michelle’s picture

michelle
she/her
Primary language English
Location Wisconsin, USA
commented
Status: Postponed » Active

I don't understand the "not part of core" issue. If Views isn't going to do anything that isn't part of core, then Views isn't going to do much... That argument doesn't make sense, anyway. Core allows users to view their own unpublished nodes. Views does not. If anything, Views is behind core in this respect and this is almost more of a bug than an FR.

My feeling on this is we should have these options:

1) Published - No one, not even UID 1, sees nodes that are unpublished. I think this is a useful option even though the nodes are viewable when they are gone to directly, just to tidy up your views.

2) Published or Admin - This is the same filter we have now where only admins can see unpublished content in the view. Non admins can't see it, even if it is their own content. Again, this is for tidyness not access control since the user can access the node outside of the view.

3) Published or access - Unpublished nodes that the user can access when viewing the URL should be shown. This is the one that, AFAICT, is not possible now and should be. It doesn't make sense to have nodes that a user is able to access that cannot be shown in a view unless you also show that node to people who cannot access it (ie: turn the filter off)

Michelle

merlinofchaos’s picture

merlinofchaos commented

I don't understand the "not part of core" issue. If Views isn't going to do anything that isn't part of core, then Views isn't going to do much...

I don't understand what this even means. Views very explicitly does not support features provided by contrib modules. Views does rather a lot supporting only tables and items that are only in core, so this statement is provably false. Either that or Views doesn't do much.

However, 'view own unpublished content' is a permission in core, so I'm not sure what dereine actually meant.

michelle’s picture

michelle
she/her
Primary language English
Location Wisconsin, USA
commented

I meant that core doesn't provide an SQL-builder UI with all the fancy trimmings, so if Views isn't allowed to do anything that core can't already do, Views wouldn't exist. It was meant to be a bit of a tongue in cheek response to his baffling statement, not a criticism of Views. :)

Michelle

dawehner’s picture

dawehner
Primary language German
commented
Category: feature » bug

Sadly this issue is currently confused by two issues: One bug issue and one feature request.

About the feature request: As written in my previous comment, "view own unpublished $type content" is not part of core, and so it will not be supported in views core until it lands in drupal core.

About the bug report: There might be a bug in node: published or admin filter, even i can't understand why:
The sql looks like this:

    $this->query->add_where_expression($this->options['group'], "$table.status = 1 OR ($table.uid = ***CURRENT_USER*** AND ***CURRENT_USER*** <> 0 AND ***VIEW_OWN_UNPUBLISHED_NODES*** = 1) OR ***ADMINISTER_NODES*** = 1");

And the placeholders look like this:

function node_views_query_substitutions() {
  return array(
    '***ADMINISTER_NODES***' => intval(user_access('administer nodes')),
    '***VIEW_OWN_UNPUBLISHED_NODES***' => intval(user_access('view own unpublished content')),
  );
}

So this makes somehow sense for me. If the user is the author and has view_own_unpublished_nodes right, then he should get access.

So if this doesn't work it would really help to see a generated query by users which has 'view own unpublished content" permission.

About published OR access filter. This one is tricky, because of the multi-node access system in drupal7:
* you could deny access via hook_node_access on runtime
* you could deny access via hook_query_node_access_alter, alias the nodeaccess which alters the query as in d6

The second one is applied for all node queries, so if a node access module cares about node: published you would not even need
the node: published filter, but i'm not sure whether this is the case for the existing node access modules.

The first one is probably impossible to run on the query as very scarry things could be done on hook_node_access.

merlinofchaos’s picture

merlinofchaos commented
Status: Active » Closed (won't fix)

ARGH.

1) This issue was about "view own unpublished content" permission.

2) Hijacking this issue created a lot of confusion.

Ok, after working a bit with Michelle, I see this issue got hijacked.

The hijack added a patch to recommend supporting the "View Unpublished" contrib module which adds an additional permission. However, by default Views only supports core and Views provided permissions. The "View Unpublished" module would be responsible for providing a replacement handler in that case, and that is not something Views will do.

Marking htis issue closed. I do not appreciate the hijacking that occurred in this issue. It just cost contributors a lot of time and confusion.

merlinofchaos’s picture

merlinofchaos commented

Just to re-iterate: This issue was hijacked as of comment #8. Supporting a contrib module's permissions is against Views policy. Patches of that nature will not be considered.

michelle’s picture

michelle
she/her
Primary language English
Location Wisconsin, USA
commented

Follow-up to this issue: #1264482: Cause and work around of user not seeing own unpublished content in views

ts145nera’s picture

ts145nera commented

I'm really sorry, I wanted to give my contribution.
Please, you don't get angry with me. I hope to do better in the future.

adamtong’s picture

adamtong commented

I also have the same problem. I have a content type and require user to save it as unpublished first. I have created a Views to show the users' own unpublished content, however, the views return no result to authenticated users.

How to fix it?

Thank you in advance!

stephenrobinson’s picture

stephenrobinson commented

Funnily enough if you create a view with an argument for uid and default to $user->uid, admins can see all their own unpub content and everyone elses, anybody can see an admins unpub content and nobody who isnt an admin can view their own unpub content......

stephenrobinson’s picture

stephenrobinson commented

ditto.......

stephenrobinson’s picture

stephenrobinson commented

what's the point of of having a node unpublished filter if it is broken, should be removed from the interface!