Use case:

I have all of my nodes set to unpublished by default, because I want to look over the changes before they're published, and then publish them myself as a superuser (or use actions/workflow to do it, or...). However, if a user remembers at the last second after submitting that he/she meant to add something to their post, and attempt to go back and edit it, they're taken to an access denied error.

A similar thing happens if I have "Create new revisions" checked and "Published" unchecked; when creating a new revision, the node will get unpublished (a behaviour I also don't like, but one thing at a time ;)) but the user can't view or edit their node to make further changes until an admin has re-published it, and then the cycle continues...

It seems to me that a user should always be able to view and/or edit (if they have proper permissions) nodes that they created, regardless of its published state. I tried to do this with a contrib module but couldn't find a place to hook in, so I'm thinking we need to fix this in core. Here's a patch.

CommentFileSizeAuthor
#8 node-author-view-edit-unpublished_4.patch1.17 KBJaza
#6 node-author-view-edit-unpublished_3.patch1.06 KBJaza
#5 node-author-view-edit-unpublished_2.patch1.18 KBwebchick
#2 node-author-view-edit-unpublished_1.patch1.07 KBJaza
#1 node-author-view-edit-unpublished_0.patch609 byteswebchick
node-author-view-edit-unpublished.patch479 byteswebchick

Comments

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
StatusFileSize
new node-author-view-edit-unpublished_0.patch609 bytes

Actually, this is better. Don't need the global $user because uid is already passed in, and it should go after the node_access stuff.

Jaza’s picture

Jaza commented
Status: Needs review » Reviewed & tested by the community
StatusFileSize
new node-author-view-edit-unpublished_1.patch1.07 KB

I noticed this annoying bug quite a while ago, but I never bothered to fix it. It's about time it got fixed up! I agree that users should always be able to view their own nodes, especially since they are taken to the page for their newly-created node once they submit it.

New patch with a few more fixes:

  1. We can't rely on $uid being available (and the node access code in this function shouldn't be relying on it either). Most calls to node_access() don't bother to pass this optional parameter. If $uid is null, we need to use global $user->uid instead.
  2. Added a check for $op == 'view': users should ONLY be able to VIEW their own nodes. They shouldn't always be able to perform other operations, such as edit their own nodes; they should only be able to do this if they've been given permission to do so (and the built-in node types provide edit own xxx content as a permission).

Setting RTBC, as I've tested this patch and I'm pretty confident that it does the job properly.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

Tested and seems to be working here! Thanks for taking it home, Jaza. :)

drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Reviewed & tested by the community » Needs work

patching file modules/node/node.module
Hunk #1 FAILED at 2571.
Hunk #2 succeeded at 2595 (offset -6 lines).
Hunk #3 succeeded at 2618 (offset -6 lines).
1 out of 3 hunks FAILED -- saving rejects to file modules/node/node.module.rej

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Needs work » Needs review
StatusFileSize
new node-author-view-edit-unpublished_2.patch1.18 KB

Here's a re-roll.

Jaza’s picture

Jaza commented
Status: Needs review » Reviewed & tested by the community
StatusFileSize
new node-author-view-edit-unpublished_3.patch1.06 KB

Tested webchick's latest patch, for viewing published/unpublished nodes as anonymous and as node author, and it all works beautifully.

New patch attached: this is identical to webchick's latest patch, just it fixes some minor offsets.

drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Reviewed & tested by the community » Needs work

The $uid argument was removed. if (is_null($uid)) will always be false.

Jaza’s picture

Jaza commented
Status: Needs work » Reviewed & tested by the community
StatusFileSize
new node-author-view-edit-unpublished_4.patch1.17 KB

Well then, in that case we'll just use $user->uid directly. New patch that removes the $uid variable completely from the node_access() function.

drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Reviewed & tested by the community » Fixed

Committed to HEAD.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)
liquidcms’s picture

liquidcms commented
Version: x.y.z » 4.7.x-dev

sorry for having to bring this up.. but #9 says "committed to HEAD".. which on Nov. 12 wouldnt that mean that this functionality would exist (without the patch) in 4.7.5 (and i think 4.7.4 as well)?

I am using 4.7.5 and i am pretty sure (sadly) this doesn't work. So, i'll try the patch.

liquidcms’s picture

liquidcms commented
Version: 4.7.x-dev » 5.0

hmmm.. ok when i look at the patches here they all (except the first one) refer to modules/node/node.module.. which to me looks a lot like 5 not 4.7.x as the post states...

which then likely answers my question about already being in 4.7.5

any thought on this actually working for 4.7.5... and of course i am just about to try it.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

It's for 5 only, and likely won't be backported because it's an API change.