Closed (fixed)
Project:
Taxonomy Access Control Lite
Version:
7.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
15 Feb 2013 at 15:56 UTC
Updated:
4 Jun 2014 at 21:05 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
jmking commentedExperiencing the same issue. However we're using Workbench Moderation instead of Revisioning.
Seems tac_lite overrides whatever access hook revision/workbench use to implement access to drafts/unpublished revisions.
Comment #2
emersonweb commentedI've solved it, temporarily, by manipulating the theme but it it is an ugly ugly fix.
Comment #3
Dave Cohen commentedIn my mind, not a bug. tac_lite shouldn't care whether node is published or not.
If you're using views.module, add a filter to hide unpublished nodes. If you're using code or something else, I'm sure it also has a way to filter based on node status.
Comment #4
emersonweb commentedHi -- not sure I understand why this isn't a bug. Tac_Lite is, in effect, overriding the unpublished status of a node and making it publicly accessible.
Comment #5
Dave Cohen commentedI think it makes sense to add a checkbox to the scheme settings form. Would say something like "This scheme applies to unpublished nodes". Then in tac_lite_node_access_records(), add a check of $node->status.
Anyone care to submit a patch like that?
Comment #6
JorgenSandstrom commentedThis seems to be a problem in the _tac_lite_get_terms function called by tac_lite_node_access_records to get a list of the relavant terms for the node. The core taxonomy_index used here by tac_lite only keeps data for published nodes.
The way I fixed it for our case was to install taxonomy_entity_index and use the supplied taxonomy_entity_index table instead.
Comment #7
Dave Cohen commentedThat sounds like another problem entirely. It's news to me that taxonomy module does not keep track of taxonomy for unpublished nodes.
I'm confused because #6 implies tac_lite would not let users view unpublished nodes (because they'd have no terms), while the original report is that tac_lite does allow users to see unpublished nodes. When I make some time I'll have to experiment and figure out what's really going on.
Sounds like the D6 to D7 push to make everything a field had a lot of side effects for taxonomy and this module is still catching up to them.
Comment #8
JorgenSandstrom commentedI found that _tac_lite_get_terms did not return any tids for any unpublished node but did for the same node if published.
I think the original report had given some roles permission to view unpublished nodes. This was also the way we had our site set up. In that case everyone of that role had access to all the unpublished nodes. Inversely, the roles without permission to view unpublished nodes would not have access even though their taxonomy permissions allowed it.
Comment #9
Dave Cohen commentedI don't think that's what the original poster reported. He wrote "Disabling tac_lite renders the unpublished page inaccessible."
If a user has permission to view unpublished nodes, they'll see those nodes regardless of what tac_lite does.
Your patch seems reasonable. But an even better patch would make it work without needing taxonomy_entity_index. I wonder what the reasoning is to not have terms associated with unpublished nodes. Seems like a stupid change.
Comment #10
emersonweb commentedSorry for being so long in replying. I think that I wasn't clear enough.
For us, the issue is that our view scheme is accessible to both anon & auth users thereby assuring that anyone can view content. The view & edit scheme is where we leverage the user roles to control editing access.
Our problem is that when a tac_lite managed node is unpublished, the view scheme privs are ignoring the status of the node, keeping it publicly viewable. If I turn off he tac_lite module entirely, all anon users get the standard Drupal unpublished message.
If tac_lite's access rules can be superseded by the status of the node, I expect the issue would be solved.
Comment #11
Dave Cohen commentedI think hook_node_access will do the trick for you.
https://api.drupal.org/api/drupal/modules%21node%21node.api.php/function...
In D6 only the module that defined a node type could do it, but in d7 and d8 that hook can implement your logic. It's still reasonable to add a checkbox to a tac_lite scheme so that the scheme does not apply to unpublished nodes.
Comment #12
Andrew Schulman commentedHi. First, I don't think there should be an option for whether tac_lite should allow unpublished nodes to be shown. Unpublished is just that - unpublished, and no module should override it unless that's explicitly what's wanted. Note also that hook_node_access_records says, "Implementations must make sure not to grant access to unpublished nodes if they don't want to change the standard access control behavior."
The right solution is just to respect the node status in granting permissions. The attached one-line patch does that. (After the patch is applied, the node permissions will have to be rebuilt once at admin/reports/status/rebuild; after that they'll be maintained correctly.)
One thing I'm unsure of though, is whether it's best to suppress granting just the view permission, or also the update and delete permissions, for unpublished nodes. This patch suppresses granting all three, but it might be better to suppress granting just the view permission. Note that not granting the update or delete permission isn't the same as denying those permissions; they can still be granted elsewhere, but tac_lite won't grant them with this patch.
Comment #13
Andrew Schulman commentedDave, I see what you were getting at now. Admins should determine which of the permissions to apply to unpublished content, so we should provide a checkbox for it for each tac_lite scheme.
I see how this would work and I'll work on creating a patch for it. Meanwhile, for admins who just want to be sure right now that their unpublished content isn't being published, #12 provides a quick fix.
Comment #14
Andrew Schulman commentedWell, that turned out to be easier than I thought. It's because of tac_lite's simple design.
This patch creates a new checkbox, "Apply to unpublished content", in each TAC Lite scheme. Permission grants in the scheme are only applied to unpublished nodes if the box is checked. By default the box is unchecked, so unpublished nodes won't be made visible.
When the patch is applied, the box will start off unchecked in all existing schemes, but as above admins will need to rebuild their node access permissions (admin/reports/status/rebuild) once in order to stop unpublished nodes from being shown.
I've tested the patch and it works for me. Patch is against current HEAD.
Comment #15
Andrew Schulman commentedComment #16
emersonweb commentedTrying to apply the patch and getting an error that the file line & the patch line don't match [for the Backwards Compatibility comment]
Comment #17
Andrew Schulman commentedHi. The patch in #14 was against the current development release. Not sure which version you're using, but here's the same patch against the 7.x-1.0-rc2 release.
Comment #18
Dave Cohen commentedI like the direction of this patch. But as I see it, and as this thread indicates, there are two problems.
The latest patch address the problem of "if tac_lite grants access to unpublished nodes, let's make that optional." And as far as I can tell it does that well.
However it does not address the problem of "tac_lite does not grant access to unpublished nodes." That is, tac_lite still uses taxonomy_index table which is not populated for unpublished content.
Andrew I'm curious are you using the earlier patch and taxonomy_entity_index? If not, how are you even testing this?
Comment #19
Dave Cohen commentedHere is an improved patch I believe does the job. Please test and let me know.
Comment #20
Andrew Schulman commentedSorry it took me a while to get back to this.
Dave, I didn't apply the tac-lite-use-entity-index patch in my earlier testing. I don't know why my patch was able to fix the bug anyway on our site. We use the revisioning module, so maybe that's a factor.
Anyway, I can confirm that the patch in #19 also fixes the bug, so from my point of view it's ready to go.
Comment #21
Dave Cohen commentedOk. Thanks.
Pushed patch. Will tag a release after I review other issues in the queue.
Comment #23
emersonweb commentedThanks so much for addressing this!
Comment #24
bpadaria commentedHi Dave Cohen,
Updated to dev version. Works Great.
========= Ignore below ==========
I have tried applying your patch at #19.
While rebuilding permission it is giving
PDOException: SQLSTATE[HY000]: General error: 1366 Incorrect integer value: '' for column 'gid' at row 2: INSERT INTO {node_access} (nid, realm, gid, grant_view, grant_update, grant_delete) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2, :db_insert_placeholder_3, :db_insert_placeholder_4, :db_insert_placeholder_5), (:db_insert_placeholder_6, :db_insert_placeholder_7, :db_insert_placeholder_8, :db_insert_placeholder_9, :db_insert_placeholder_10, :db_insert_placeholder_11), (:db_insert_placeholder_12, :db_insert_placeholder_13, :db_insert_placeholder_14, :db_insert_placeholder_15, :db_insert_placeholder_16, :db_insert_placeholder_17); Array ( [:db_insert_placeholder_0] => 45 [:db_insert_placeholder_1] => all [:db_insert_placeholder_2] => 0 [:db_insert_placeholder_3] => 1 [:db_insert_placeholder_4] => 0 [:db_insert_placeholder_5] => 0 [:db_insert_placeholder_6] => 45 [:db_insert_placeholder_7] => tac_lite [:db_insert_placeholder_8] => [:db_insert_placeholder_9] => 1 [:db_insert_placeholder_10] => 0 [:db_insert_placeholder_11] => 0 [:db_insert_placeholder_12] => 45 [:db_insert_placeholder_13] => tac_lite_scheme_2 [:db_insert_placeholder_14] => [:db_insert_placeholder_15] => 0 [:db_insert_placeholder_16] => 1 [:db_insert_placeholder_17] => 0 ) in node_access_write_grants() (line 3546 in node.module)