Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
menu_tree_check_access filters it's query by status = 1. This is unexpected behavior when people have the 'administer nodes' permission, and is particularly problematic when dealing with unpublished book nodes, as the nodes don't show up in the parent item select list.
This patch does a simple check to see if the current user has the administer nodes permission, and omits the status = 1 condition if they do. Going to throw it against the wall and see if simpletest likes it, I'll follow up with test fixes if not.
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedThis is probably reasonable (and maybe even a 6.x bugfix) since there is no meaningful reason to limit administrators in this way.
Comment #2
beeradb CreditAttribution: beeradb commentedTestbot likes it, pwolanin likes it - anyone else want to chime in? I'd like to get this backported for a d6 project I'm on which it might help with.
Comment #3
catchLooks sensible to me.
Comment #4
Damien Tournoud CreditAttribution: Damien Tournoud commentedMakes sense.
Comment #5
moshe weitzman CreditAttribution: moshe weitzman commentedThere is a now a permission for user_access('view own unpublished content'). just went in recently. see node_access() for example.
Comment #6
rooby CreditAttribution: rooby commentedHere is the patch for D8 with added support for the 'view own unpublished content' permission.
Comment #7
pwolanin CreditAttribution: pwolanin commentedCode looks fine, does this deserve a test case?
Comment #8
mdupontSomewhat related to #50680: "Printer-friendly version" of unpublished book pages is blank issue I worked on. Looks like this patch would also fix the issue related there.
Comment #9
kscheirer#6: drupal-menu_tree_check_access-520786-6.patch queued for re-testing.
Comment #10
kscheirerRetesting against latest HEAD since it has been over a year.
Comment #11
rupertj CreditAttribution: rupertj commentedHere's a re-roll of beeradb's original patch against current 7.x HEAD. (I ran into the same issue in prod too...)
Comment #13
rupertj CreditAttribution: rupertj commented#6: drupal-menu_tree_check_access-520786-6.patch queued for re-testing.
Comment #14
rupertj CreditAttribution: rupertj commentedThis is a re-roll of rooby's patch from #6 against current D8 head. I've also swopped instances of user_access for $account->hasPermission() and got rid of the global $user from the previous patch.
Comment #15
rupertj CreditAttribution: rupertj commentedUploaded the wrong patch. This is the right one.
Comment #16
HazaNot sure of the status of this issue. Also, the menu_tree_check_access() function doesn't exists anymore in current D8 HEAD.
Maybe this could still apply on D7 ?
Comment #17
HazaComment #18
pwolanin CreditAttribution: pwolanin commentedThis is outdated compared to HEAD. This code was removed.
Comment #19
rupertj CreditAttribution: rupertj commentedCan this issue not still be kept open to fix the issue in D7?
Comment #20
pwolanin CreditAttribution: pwolanin commentednot sure this APi/security change will be accepted for 7.x, but you can try.
Comment #21
Vikas.Kumar CreditAttribution: Vikas.Kumar commentedComment #22
mgiffordComment #24
osopolarDrupal 7 uses global $user instead of
$account = \Drupal::currentUser();
Comment #25
rooby CreditAttribution: rooby commentedIn addition, you can call user_access() without having to pass in the global $user object. See previous D7 patches in this issue as an example.
Comment #26
Göran CreditAttribution: Göran commentedPlease please, can anyone create a working patch for D7?
Above patches failed!
I have a critical problem - Authors with 'view own unpublished content'-permission can not find own unpublished pages in there own books!
- Authors only possibility to find own unpublished page is to writ page-address in URL (views-list not work or the core # /admin/content
The only permission who can see the pages in list or menus is the ''Bypass content access control'!
Comment #27
Göran CreditAttribution: Göran commentedCompromise solution found!
This issue describe a logical permission problem related to Book and core permission incompatibility. But there is very good module, view_unpublished, who solve some problem and make unpublished nodes visible to the author who did create them if you set up a Views and let a Views Display show them.
Its also good that you not need to set the permission: 'View any unpublished content' for the content type to be viewed! Views makes is possible to view the nodes through the view_unpublished module. Views is able to view all own nodes if the core permission 'view own unpublished content' is active fore the role.