Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Currently there is a filter in the "All Recent Content" to filter by published state. But if a user is not admin, then the filter does nothing, because of the 'Node: Published or Admin' filter. The filter should be removed, so unpublished nodes can properly be viewed.
Comment | File | Size | Author |
---|---|---|---|
#7 | 7-1845160-exposed-filter-hide.patch | 1.4 KB | bbinkovitz |
#1 | workbench-published-1845160-1.patch | 981 bytes | duellj |
Comments
Comment #1
duellj CreditAttribution: duellj commentedThis was first introduced here: http://drupal.org/node/1101874#comment-4765210
Attached is a patch that removes the filter
Comment #2
bbinkovitz CreditAttribution: bbinkovitz commentedI applied this patch to Workbench 7.x-1.x-dev but it didn't seem to have any effect on the "all recent content" view. Perhaps you could write a test for it?
Comment #3
agentrickardAll the patch would do is remove the misleading exposed filter. The issue is that the exposed filter has no effect.
Comment #4
bbinkovitz CreditAttribution: bbinkovitz commentedIt looks to me like it doesn't remove the exposed filter, it removes the conflicting "published or admin" filter, allowing the exposed filter to function.
I think this patch is arguably a security risk, since it allows non-admins who do not have view unpublished content permissions to view the title and paths of unpublished content in the workbench list.
Of course, when the links are clicked, users without privileges just get access denied errors.
Removing either the exposed filter (while retaining the hidden one) or the link on the node title for those without view unpublished access seems preferable.
Comment #5
bbinkovitz CreditAttribution: bbinkovitz commentedThere's really only one use case where the exposed filter is not useful, and that's for non-admins who don't have permission to view own unpublished content. Essentially there are three kinds of users that are likely to be using Workbench. (Current permissions configuration doesn't really support showing anyone *only* unpublished content.)
user published unpublished
---------------------------------
admin all all
author all own
other all none
If we were to hide the exposed filter from a user, we would have to do this in a way that first checks:
How would this best be accomplished?
Comment #6
agentrickardThis should be possible, I think, in the exposed_form() method of the workbench_access_handler_filter_access class.
But to apply the "view own unpublished", you also need to adjust query().
Comment #7
bbinkovitz CreditAttribution: bbinkovitz commentedagentrickard, I'm not familiar enough with your module to know exactly how to do what you're envisioning. I've attached a patch that hides the exposed filter for users who have neither the administrator role, nor view own unpublished content permissions, nor bypass access control permissions. I don't know if it's the best way to accomplish this, but it's what I was able to hack together.
Comment #8
bbinkovitz CreditAttribution: bbinkovitz commentedThis is really a Views bug. My patch works, but it will likely break the ability to export or edit the view.
To be clear, the only "bug" is that Views allows exposed filters to be visible even when one of the available values corresponds to no available content. Whether that actually constitutes a bug or not is debatable.
As for Workbench, the filter works. The only user who sees a filter they can't use is a user who has no permission to view any unpublished content of any kind. Users without such permissions would not likely find a lot of value to using Workbench to begin with.
After some manual testing (as a user with UID>1 and not assigned admin role, but with 'view own unpublished content' permission) It seems like this works as designed.
Comment #9
bbinkovitz CreditAttribution: bbinkovitz commentedComment #10
JKingsnorth CreditAttribution: JKingsnorth commentedI'm not sure about this.
My editors are unable to see unpublished content in this list which they do have access to view (and even edit).
This is because, as has been said, the 'Content: Published or admin' filter only checks whether the content is published or the current user has the 'Administer nodes' permission. I expect many lower level editors do not have this permission (mine certainly don't).
Actually, I don't think it will, because we use 'Nodes' as the base table then access controls take effect anyway. I've tested it and this certainly seems to be the case. Test it by creating an unpublished piece of content, of a content type that one of your editors should not be able to View - it doesn't show up in the list, even with the 'Content: Published or admin' filter removed.
So I would recommend removing this filter - Content: Published or admin - from the default configuration, since it isn't really needed and interferes with custom node access / permissions models.
Comment #11
JKingsnorth CreditAttribution: JKingsnorth commented(Changing status, Drupal.org is pretty messed up at the moment. To me it looks like your posts are more than 24 hours in the future as well. Magic :P )
Comment #12
colanSee #1492118: View all unpublished content permission not working.