Latest revision gives access denied [#2687789]

Problem/Motivation

The latest revision tab shows, but when you click on its link you get a 403 page.

This scenario is created when you give anonymous users "View the latest version" permission, but not the "View any unpublished content" permission.

Here are steps to reproduce:

Install Workbench Moderation and enable a content type to be moderated, with all moderation states enabled, and default state of draft
Create a node for that content type and publish it
Create a forward revision for that node by creating a new draft
Set the "View the latest version" permission to "Anonymous User"
Access the node as an anonymous user
Notice you see the "Latest version" tab, click on it
Notice you are taken to a 403 Access denied page

Proposed resolution

TBD

Comment	File	Size	Author
#16	change-latest-version-permission-to-view-own-unpublished-content-2687789.patch	1.12 KB	SimFin
#16
#12	2687789-latest-tab.patch	5.93 KB	Crell
#12	8.x-1.x: PHP 5.5 & MySQL 5.5, D8.2 61 pass PHP 5.6 & MySQL 5.5, D8.2 61 pass PHP 7 & MySQL 5.5, D8.2 61 pass
#8	2687789-latest-tab.patch	5.45 KB	Crell
#8	8.x-1.x: PHP 5.5 & MySQL 5.5, D8.2 59 pass, 2 fail PHP 5.6 & MySQL 5.5, D8.2 59 pass, 2 fail PHP 7 & MySQL 5.5, D8.2 59 pass, 2 fail
#6	2687789_6.patch	2.64 KB	josephdpurcell
#6	8.x-1.x: PHP 5.5 & MySQL 5.5, D8.2 55 pass PHP 5.6 & MySQL 5.5, D8.2 55 pass PHP 7 & MySQL 5.5, D8.2 55 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

15 March 2016 at 16:03

josephdpurcell created an issue. See original summary.

Comment #2

Crell CreditAttribution: Crell at Palantir.net for Acquia commented 15 March 2016 at 22:54

Does this happen without multiversion, or is it a multiversion-specific bug?

Comment #3

josephdpurcell CreditAttribution: josephdpurcell at Palantir.net for Acquia commented 15 March 2016 at 23:43

Issue summary:

View changes

This is a Workbench Moderation specific bug report. I've updated the description to clarify.

Comment #4

josephdpurcell CreditAttribution: josephdpurcell at Palantir.net for Acquia commented 17 March 2016 at 13:17

Issue summary:

View changes

I have a clearer idea of what is happening. I've updated the description to reflect it.

I'm not sure this is actually a bug, but rather a need to understand that "View the latest version" permission doesn't make sense if the user cannot view the forward revision, e.g. the user doesn't have "View any unpublished content" permission.

I see two ways to improve this:

Hide the "Latest version" tab if the user does not have permission to access the forward revision
Update the description of the "View the latest version" description from "View the latest version of an entity" to "View the latest version of an entity (depends on "View any unpublished content")", or a similar phrasing

Comment #5

Crell CreditAttribution: Crell at Palantir.net for Acquia commented 17 March 2016 at 15:01

Why decide? Let's do both. :-) That's probably best for UX.

Comment #6

josephdpurcell CreditAttribution: josephdpurcell at Palantir.net for Acquia commented 17 March 2016 at 19:35

File	Size
2687789_6.patch	2.64 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.2 55 pass PHP 5.6 & MySQL 5.5, D8.2 55 pass PHP 7 & MySQL 5.5, D8.2 55 pass

I don't believe this patch works. It appears to me that $this->moderationInfo->getLatestRevision returns the latest revision even if the user doesn't have access to it.

Follow up would be to not just load the forward revision but verify the user has access, and secondly do item 2 in #4

Comment #7

Crell CreditAttribution: Crell at Palantir.net for Acquia commented 17 March 2016 at 20:08

Status:

Active

» Needs review

Correct. That method is explicitly not user-access-aware. That needs to get checked externally by this patch.

+++ b/src/Access/LatestRevisionCheck.php
@@ -18,13 +19,23 @@ class LatestRevisionCheck implements AccessInterface {
-  public function __construct(ModerationInformationInterface $moderation_information) {
+  public function __construct(ModerationInformationInterface $moderation_information, AccountInterface $current_user) {
     $this->moderationInfo = $moderation_information;
+    $this->currentUser = $current_user;
   }

The account can be passed into the access() method, as one of the many magic values it can request. See how PermissionAccessCheck does it.

+++ b/src/Access/LatestRevisionCheck.php
@@ -48,7 +59,14 @@ class LatestRevisionCheck implements AccessInterface {
+    $forward_revision = NULL;

NULL is a bug. :-)

+++ b/src/Access/LatestRevisionCheck.php
@@ -48,7 +59,14 @@ class LatestRevisionCheck implements AccessInterface {
+    if ($this->moderationInfo->hasForwardRevision($entity)) {
+      $forward_revision = $this->moderationInfo->getLatestRevision($entity->getEntityTypeId(), $entity->id());
+    }

getLatestRevision() isn't user-aware either.

Comment #8

Crell CreditAttribution: Crell at Palantir.net for Acquia commented 1 April 2016 at 22:29

File	Size
2687789-latest-tab.patch	5.45 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.2 59 pass, 2 fail PHP 5.6 & MySQL 5.5, D8.2 59 pass, 2 fail PHP 7 & MySQL 5.5, D8.2 59 pass, 2 fail

1 file was hidden/shown/deleted

File	Size
2687789_6.patch	2.64 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.2 55 pass PHP 5.6 & MySQL 5.5, D8.2 55 pass PHP 7 & MySQL 5.5, D8.2 55 pass

Here's a totally new take.

The test in this patch adds a test for the class, but turns out the fix itself doesn't even need to touch the class. However, writing a proper test for that requires BrowserTestBase, and placing blocks to get the tabs to show up, and after an hour-plus of trying to make that work I am giving up and just trusting that it works because I am sick to death of our testing framework at this point. :-(

If testbot likes the rest of this patch, I'll merge it shortly.

Comment #9

1 April 2016 at 22:31

Status:

Needs review

» Needs work

The last submitted patch, 8: 2687789-latest-tab.patch, failed testing.

Comment #10

1 April 2016 at 22:32

The last submitted patch, 8: 2687789-latest-tab.patch, failed testing.

Comment #11

1 April 2016 at 22:32

The last submitted patch, 8: 2687789-latest-tab.patch, failed testing.

Comment #12

Crell CreditAttribution: Crell at Palantir.net for Acquia commented 1 April 2016 at 22:54

Status:

Needs work

» Needs review

File	Size
2687789-latest-tab.patch	5.93 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.2 61 pass PHP 5.6 & MySQL 5.5, D8.2 61 pass PHP 7 & MySQL 5.5, D8.2 61 pass

1 file was hidden/shown/deleted

File	Size
2687789-latest-tab.patch	5.45 KB
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.2 59 pass, 2 fail PHP 5.6 & MySQL 5.5, D8.2 59 pass, 2 fail PHP 7 & MySQL 5.5, D8.2 59 pass, 2 fail

Hm, need to tweak the permissions in the Simpletests. I keep forgetting those are even there.

Comment #13

1 April 2016 at 23:07

Crell committed f73e543 on 8.x-1.x

Issue #2687789 by Crell, josephdpurcell: Latest revision gives access...

Comment #14

Crell CreditAttribution: Crell at Palantir.net for Acquia commented 1 April 2016 at 23:08

Status:

Needs review

» Fixed

Merged.

Comment #15

15 April 2016 at 23:14

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Comment #16

SimFin CreditAttribution: SimFin commented 11 December 2018 at 16:38

File	Size
change-latest-version-permission-to-view-own-unpublished-content-2687789.patch	1.12 KB

I have an issue with users who I want to view the Latest version tab, but I don't want them to have the 'View all unpublished content' permission, but only the 'View own unpublished content'. I have attached a patch for this particular situation.