It is somewhat disconcerting to users who have the 'administer book outlines' permission to see the 'outline' tab and 'outline' fieldset on every single node type, regardless of whether that node type has been configured to be allowed in books. I can see a use-case where that might be a desired feature, but i think its probably relatively rare.
The steps to repeat this are:
with a clean install of drupal,
1) turn the book module on
2) configure book module to only use 'book' content type
3) as admin or a user with 'administer book outlines' permission, create or edit a 'page' node (not a book node)
i would expect that 'outline' would not show for 'page' nodes since only 'book' nodes are set to use outlines.
I created the following patch to gracefully address this issue. The simplest solution I could think of was to create an additional checkbox in the content/book/settings form that when checked restricts book outlines to only the designated book-types. By default this is not checked, so that any drupal installs that might rely on "seeing outline information on all node types regardless of config settings" wont be broken by this patch after upgrading.
Its pretty basic, doesn't change anything by default and so hopefully it will be well received (and help someone too!)
Comment | File | Size | Author |
---|---|---|---|
#106 | interdiff_104-106.txt | 797 bytes | Prem Suthar |
#106 | 502430-106.patch | 14.1 KB | Prem Suthar |
| |||
#104 | reroll_diff_90-104.txt | 4.27 KB | pooja saraah |
#104 | 502430-104.patch | 14.1 KB | pooja saraah |
#98 | 502430-nr-bot.txt | 3.46 KB | needs-review-queue-bot |
Comments
Comment #1
garbo CreditAttribution: garbo commentedWhere do I need to place this patch in order to work?
I don't know what to do with a patch to make it work.
Comment #2
itaine CreditAttribution: itaine commentedThis makes "Allowed book outline types:" actually work! IMHO should be added to core as a fix. Thank you netw3rker!
Comment #3
dyke it CreditAttribution: dyke it commentedworks perfectly for me. thank you kindly!! :)
Comment #4
TimG1 CreditAttribution: TimG1 commentedSubscribing.
In addition to what netw3rker explained there is another effect to this issue.
Under Content Management > Books > Settings there is this line of text....
"Select content types which users with the add content to books permission will be allowed to add to the book hierarchy. Users with the administer book outlines permission can add all content types."
With the way the book module is today, I don't see a way to enable a role to be able to edit an outline of a given book AND allow them to add only a certain content type to that book.
Since the "administer book outlines" permission will give them the ability to add all content types and they cannot edit outlines without this permission it's an all or nothing for outline editing. Unless I'm missing something obvious?
-Tim
Comment #5
stefan81 CreditAttribution: stefan81 commented@netw3rker
Thank you!
It worked so far. (Version 6.15)
I hope this patch finds its way into core.
I also thought that should be an obvious behaviour, only to show the outline fieldset on content types which are assigned to books.
Comment #6
girishmuraly CreditAttribution: girishmuraly commentedI think the status to be set to 'needs review' to let the Testing Bot trigger an automated review of the patch, and report the results.
Comment #8
girishmuraly CreditAttribution: girishmuraly commentedI guess the patch netw3rker attached was not created from the root directory. Trying again..
Comment #9
girishmuraly CreditAttribution: girishmuraly commentedComment #11
girishmuraly CreditAttribution: girishmuraly commentedOk, I must admit I have not got patches to pass testing either. As per the guidelines on creating patches - http://drupal.org/patch/create - we have to create it on the latest dev release. I see this issue is also on 7.x Dev snapshot which I downloaded.
I will try to use two different patch files for book.module and book.admin.inc.
Should this fail, may I request someone to help with the patching please?
Thanks
Comment #12
girishmuraly CreditAttribution: girishmuraly commentedAttaching the patches for Drupal 6 (based on 6.17 release).
Comment #13
girishmuraly CreditAttribution: girishmuraly commentedComment #14
netw3rker CreditAttribution: netw3rker commented@girishmuraly Thanks! that was my first core patch submission & I just sort of left it after putting it out there. I'm glad its being put to good use somewhere!
Comment #16
Wappie08 CreditAttribution: Wappie08 commentedI like this one, doesn't seem to be committed yet, is it going to be??
Greetings Bas
Comment #17
savedario CreditAttribution: savedario commentedYes, I will be installing this too.
Is there a chance it to be committed into core or is there a code freeze ?
Ciao
Comment #18
lubnax CreditAttribution: lubnax commentedsubscribe
Comment #20
stacysimpson CreditAttribution: stacysimpson commentedShip it! Works great on 6.19.
Comment #21
netw3rker CreditAttribution: netw3rker commentedI'm setting this to "reviewed and tested by the community" hopefully that will get 6.x maintainers to review and comment back on whether and when it will go in.
for the maintainers: This does not change how the existing book module functionality operates, so existing sites and configs will not have to do anything. it provides an option that is disabled by default, but when enabled, allows the book module to function as users would expect it to.
-Chris
Comment #22
tstackhouse CreditAttribution: tstackhouse commentedSubscribing. I just implemented a helper module to effectively do what this patch does, with the exception of simply forcing the administer outlines perm to respect the available types permission.
Comment #23
jelo CreditAttribution: jelo commentedSubscribe
Comment #24
pwolanin CreditAttribution: pwolanin commentedPatches have code style issues.
bugs have to be fixed in HEAD first.
Comment #25
Gábor HojtsyThis patch basically removes a feature, however distracting that feature is, basically this is about removing an unintended feature. Not sure that is a good idea in a stable version (6.x or 7.x alike).
Comment #26
pwolanin CreditAttribution: pwolanin commentedDiscussing with netw3rker over email. A possible way forward would be to link the ability to put any content into books to the 'administer nodes' permission instead.
Comment #27
savedario CreditAttribution: savedario commentedI am not sure I agree with that statement.
Why would you define a feature the possibility to maintain the outline of a content type that is not supposed to have an outline ?
I call this a bug.
Comment #28
Gábor HojtsyWell, I see this as a property of the "administer...." permission. You can set workflow bits for node types on the content type page, but if you have "administer nodes", you can override all that anytime. Same for "administer book outlines", you get more powers. I think that was the thinking when this was implemented. Anyway, generally I agree it looks like a bug, but I can also see how people kind of expect this with an "administer ..." permission.
Comment #29
pwolanin CreditAttribution: pwolanin commented@Gabor - I think the present situation makes that permission much less useful than it should be.
I'd favor changing the check about moving all content into books to 'administer nodes' since that is already accepted as having maximal control over content.
Comment #30
netw3rker CreditAttribution: netw3rker commented@gabor, the patch as it stands does not actually remove anything, or alter the behavior of existing installations. it gives users the option of making the book module perform as they would expect. However, by default after the patch is applied, nothing changes or functions differently.
In general, the whole issue stems from the fact that there really needs to be 2 permissions here: 1) "administer all books" (which is not the same as administer all nodes) and 2) "add any content to books" which should be for very privileged users who can see/manage any content.
Given that the 2 permission model *would* require a functionality change to core's book module, and *would* effect installations after an upgrade, it makes more sense in my opinion to give users the ability to opt in to the change, and keep things running as expected, than to change the functionality and make everyone who liked it the way it worked originally have to opt out.
That being said, I would rather see this issue get corrected the right way and see a 2 permission model enacted. whether that means we go with "administer all books" and "add any content to books" or its decided that "administer all books" and "administer all nodes" will suffice doesn't particularly matter to me, though i think the former makes the system a bit more configurable than the latter.
-Chris
Comment #31
wjaspers CreditAttribution: wjaspers commentedOops, I didn't see this thread before, so I've accidentally submitted a duplicate issue a few days back, where there's a patch as well:
http://drupal.org/node/1196576
Comment #32
scotwith1tI don't see why this is still under discussion. It's terribly confusing when you see an Outline tab under nodes that can't/shouldn't be able to be in an outline. #12 works great for me.
Comment #33
soulfroys#12 works great for me too...
Comment #34
dagomar CreditAttribution: dagomar commentedI know this is a very old issue, but I still need this in my installation. The old patches don't work with drush make, so I created a new patch, I also did a bit of clean up so the descriptions are in a t() and such.
Comment #35
dagomar CreditAttribution: dagomar commentedI had to change my previous patch. The problem was that the node form alter now uses _book_outline_access, which expected a node object (with a nid), however no nid has been set when we create a node. So I altered the access check a little bit so it takes this into account by passing the node type as a string on node creation. Then node_access can handle the rest.
Comment #36
mikran CreditAttribution: mikran commentedThis does not work when creating a new node. "Notice: Trying to get property of non-object" notices are triggered as $node passed to node_access() is not an object.
Attached patch fixes this.
EDIT: and to reproduce this some spesific conditions are required. User must not have 'bypass node access' permission. User must have 'access content' permission. And finally hook_node_access implementations must not deny or allow access.
Comment #37
RoSk0This works as described and fixes confusing issue.
Patch attached is just a re-roll plus minor code standard fix, so all credits to original authors.
Comment #38
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedComment #39
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedThe same behavior occurs in Drupal 8 so this would need to go in Drupal 8 first.
Also, the current behavior is a documented feature - I can see the rationale for wanting to change it, but am not sure yet-another-setting-in-the-admin-UI is a great way to do it. Splitting out a new permission along the lines of "add any content to books" (as discussed in #30 above) sounds like a better solution - yes, there are some backwards compatibility concerns with that, but relatively minor (there probably isn't too much contrib/custom code out there that interfaces with this part of the Book module, and mostly the concern would be broken links).
Meanwhile, a brief review of the patch:
Comment #41
ahmadhalah CreditAttribution: ahmadhalah as a volunteer and at Vardot commentedthe update is working but no need to make user has "administer book outline" permission
Comment #44
missvengerberg CreditAttribution: missvengerberg at Atenea tech for Diputació de Barcelona commentedMy team mates and I have been using this little patch for almost a year now on a project. I'll just share it too.
Comment #45
oriol_e9gYeah nice! but still needs tests.
Comment #46
oriol_e9gIMO add a new permission is the best approach, as commented in #39.
Added a new permission 'add any content to books', so users with this perm can use the book outline form in all node types, and other users only in allowed book types as expected.
Comment #47
oriol_e9gAdding tests.
Comment #48
oriol_e9gSorry for the noise, I will try to minimize changes.
Comment #49
oriol_e9gAdded a hook_update to grant the new permission to all roles with 'administer book outlines' for backward compatibility.
Comment #50
oriol_e9gAll green ready for review :)
Comment #51
oriol_e9gComment #52
dbielke1986 CreditAttribution: dbielke1986 commentedThank you for fixing this issue.
After applying this patch I am getting the following error after saving an exisiting node (content type is not an book enabled one):
"You can only change the book outline for the published version of this content."
Is someone having an idea?
Comment #53
Chris Burge CreditAttribution: Chris Burge commented#49 gets us most of the way there. We also need to control access to the 'entity.node.book_outline_form' route. This route is for path '/node/{id}/outline'.
Attached patch also clarifies some of the comments/language. Tests are updated (but may fail on the first run).
Comment #55
Chris Burge CreditAttribution: Chris Burge commentedReworked tests.
Comment #57
Chris Burge CreditAttribution: Chris Burge commentedReworked tests.
Comment #59
Chris Burge CreditAttribution: Chris Burge commentedComment #61
Chris Burge CreditAttribution: Chris Burge commentedComment #63
Chris Burge CreditAttribution: Chris Burge commentedComment #65
Chris Burge CreditAttribution: Chris Burge commentedComment #66
yogeshmpawarComment #67
yogeshmpawarFew coding standard issues resolved & added an interdiff.
Comment #68
Chris Burge CreditAttribution: Chris Burge commentedAttached patch incorporates #67. It also includes additional code standard fixes and comments clean up.
The primary change between #49 and the current patch is that now access to a node’s book settings (both the ‘outline’ tab and the vertical tab on the ‘edit’ page) are controlled by the new BookNodeOutlineAccessCheck access plugin.
Comment #69
Chris Burge CreditAttribution: Chris Burge commented@JD_1, re #52 - I made several attempts to reproduce the behavior you described. I believe you're getting caught by BookOutlineConstraintValidator::validate(), but I don't know why. Are you able to provide steps to reproduce?
Comment #70
dbielke1986 CreditAttribution: dbielke1986 commentedI will try it with your last patch tomorrow and give you some feedback. Maybe it is related to the issue/fix for the i18n support for books...
Comment #71
dbielke1986 CreditAttribution: dbielke1986 commentedOk: I did some additional tests with the latest patch and here are my results:
For book-enabled content types everything seems to be working fine
If I try to use other content types I still get the error (see attached file)
To get the error I did the following:
1) Apply Patch
2) Run database update
3) Clear cache
4) Uncheck the permission for to add non-book-related content in the permissions
5) Activate the default content moderation worklow for the default content type "basic page"
6) Logon with the user who did not have the permission (point 4)
7) Create a basic page as "draft"
8) Publish this draft/basic page
=> Until this point everything seems to be working
9) Create a new draft
=> Error
Comment #72
dbielke1986 CreditAttribution: dbielke1986 commentedComment #73
dbielke1986 CreditAttribution: dbielke1986 commentedI checked the access function within the BookNodeOutlineAccessCheck and get the following return for:
a) a book enabled type:
$this->currentUser->hasPermission('add any content to books') = 1
$this->currentUser->hasPermission('add content to books') = 1
!empty($node->book['bid']) = 1
!$node->isNew()) = 1
book_type_is_allowed($node->getType()) = 1
b) a not enabled book type:
$this->currentUser->hasPermission('add any content to books') = 0
$this->currentUser->hasPermission('add content to books') = 1
!empty($node->book['bid']) = 0
!$node->isNew()) = 1
book_type_is_allowed($node->getType()) = 0
BR
Comment #74
Chris Burge CreditAttribution: Chris Burge commented@JD_1 - I'm able to reproduce the bug you described without the patch being offered by this issue.
Steps to reproduce:
You can only change the book outline for the published version of this content.
You'll need to open a new issue against core for the Book module. I'd mark it as Major since it renders content moderation unusable with no workaround.
Comment #75
dbielke1986 CreditAttribution: dbielke1986 commented@Chris-burge
Trank you so much for your quick Response and your test!
Just one question:
If this is a core bug-what is this patch fixing. Or the other way around: what can I test to see that this fix is working.
I thought this is exactly what this patch is trying to do.
Or is the major reason/difference to your system the activated content moderation module?
Comment #76
Chris Burge CreditAttribution: Chris Burge commentedThis issue isn't seeking to fix a bug; rather, it's a feature request. Currently, if someone has the 'administer book outlines' permission, then that user can also add non-book content to book outlines. This issue seeks to move that capability to an 'add any content to books' permission. In the event a non-book node is already in a book outline, then the node's book configuration is exposed to users without the permission.
Steps to test:
Comment #77
ericras CreditAttribution: ericras at University of Nebraska commented1. The titles in book.permissions.yml like Add non-book content to outlines shouldn't have periods after them.
2. Update to book_help() mentioned in #39. I tried to write something but got tongue tied trying to explain exactly what 'Administer book outlines' does now.
3. On /admin/structure/book/settings the description "Users with the 'Administer book outlines' permission can add all content types" needs to be updated. I believe the specified permission just needs to change to 'Add non-book content to outlines'.
Comment #78
Chris Burge CreditAttribution: Chris Burge commentedComment #79
Chris Burge CreditAttribution: Chris Burge commented@ericras - Good catches. All points have been addressed in the attached patch.
I also modified BookNodeOutlineAccessCheck::access(). Previously, the 'Add non-book content to outlines' permission implicitly granted the 'Add content and child pages to books and manage their hierarchies' permission, too. I have changed this behavior. Now the 'Add non-book content to outlines' permission is only considered if the role already has the 'Add content and child pages to books and manage their hierarchies' permission. Such is now now stated in the permission description for 'Add non-book content to outlines'.
Comment #80
Chris Burge CreditAttribution: Chris Burge at University of Nebraska commentedAttached patch has corrected Git paths.
Comment #83
Chris Burge CreditAttribution: Chris Burge at University of Nebraska commentedJust tested against 8.9.x and 9.1.x. The test failure for 8.9.x can be disregarded. The failure of
Drupal\Tests\ComposerIntegrationTest::testComposerLockHash
is unrelated.Comment #84
timwoodI've rerolled the patch provided by @chris-burge almost a year ago as it was no longer applying to 8.9.x due to other commits to
core/modules/book/tests/src/Functional/BookTest.php
. Patch and interdiff (I think I did that right) attached.Comment #85
mindbet CreditAttribution: mindbet as a volunteer commentedPatch is updated for 9.1x
Interdiff (not sure if helpful) also attached.
Comment #86
mindbet CreditAttribution: mindbet as a volunteer commentedUpdated patch to fix 'failed to apply'
Comment #88
PCate CreditAttribution: PCate commentedPatch applied cleanly and new book permission worked great.
Comment #89
quietone CreditAttribution: quietone as a volunteer commentedI took a very brief look at the code and spotted this;
Both of these changes appear to be out of scope.
Comment #90
adityasingh CreditAttribution: adityasingh as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedReroll the patch for
9.2.x
and fixed as suggested in #89.Comment #92
Ahmad Abbad CreditAttribution: Ahmad Abbad as a volunteer and at Vardot for Vardot commentedPatch #90 worked for me on 9.2.5
Comment #94
joachim CreditAttribution: joachim at Factorial GmbH commentedThe issue summary doesn't correspond to the fix in the most recent patch.
Comment #96
star-szrI think the "Performance" tag may be justifiable here, and if so, makes me think that this could be bumped from a feature request to a task.
The following xhprof diff is from a real-world site, showing the difference on a node edit form which is not enabled as a book content type. Before is without the patch, After is with the patch from #90. I'm testing as a user that does not have the newly added permission in this scenario.
This could probably use more profiling with a more "stock" setup for sure.
Comment #98
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #99
Deshna Chauhan CreditAttribution: Deshna Chauhan commentedAdded patch against #90 in version 10.1.
Comment #100
BramDriesenHiding patch #99 as it's incomplete. You omitted the /core/modules/book/src/Access/BookNodeOutlineAccessCheck.php class
@Deshna Chauhan Please stop uploading incomplete and broken re-roll patches without an interdiff.
Comment #101
Nitin shrivastava CreditAttribution: Nitin shrivastava at OpenSense Labs commented@BramDriesen Try to addressed your point add all file in reroll for d10.
Comment #102
BramDriesen@Nitin shrivastava Thanks, but your patch is still missing the /core/modules/book/src/Access/BookNodeOutlineAccessCheck.php class. And from a quick glance you're also missing a newline in the first code block.
I suggest to ignore what was done in #99 and start fresh from the patch in #90.
Hiding your patch and interdiff as well for that reason.
For the next person coming in. Start from #90 and provide a patch+interdiff based of that patch.
Comment #103
quietone CreditAttribution: quietone at PreviousNext commented@Deshna Chauhan and @Nitin shrivastava I am removing credit for the unhelpful patches per How is credit granted for Drupal core issues.
Comment #104
pooja saraah CreditAttribution: pooja saraah at Srijan | A Material+ Company for Drupal India Association commentedAddressed the Comment #102
Attached patch against Drupal 10.1.x
Attached reroll patch
Comment #105
BramDriesen@pooja saraah That looks a lot better! Thanks :)
Needs work still justified for #94
Comment #106
Prem Suthar CreditAttribution: Prem Suthar at Srijan | A Material+ Company for Drupal India Association commentedRe-Roll The Patch #104 Due To Custom CMD Failed.
Comment #107
pooja saraah CreditAttribution: pooja saraah at Srijan | A Material+ Company for Drupal India Association commentedComment #108
smustgrave CreditAttribution: smustgrave at Mobomo commentedStill needs issue summary update from #94
Comment #110
quietone CreditAttribution: quietone at PreviousNext commentedThis extension is being deprecated, see #3376070: [Meta] Tasks to deprecate Book module. It will be removed from core and moved to a contrib project, #3376101: [11.x] [Meta] Tasks to remove Book.
This is now Postponed. The status is set according to two policies. The Remove a core extension and move it to a contributed project and the Extensions approved for removal policies.
This issue may be re-opened if it can be considered critical, If unsure, re-open the issue and ask in a comment.