menu_tree_check_access: only filter by status = 1 for non content admins

This is probably reasonable (and maybe even a 6.x bugfix) since there is no meaningful reason to limit administrators in this way.

Looks sensible to me.

Makes sense.

There is a now a permission for user_access('view own unpublished content'). just went in recently. see node_access() for example.

Here is the patch for D8 with added support for the 'view own unpublished content' permission.

Code looks fine, does this deserve a test case?

Somewhat related to #50680: "Printer-friendly version" of unpublished book pages is blank issue I worked on. Looks like this patch would also fix the issue related there.

#6: drupal-menu_tree_check_access-520786-6.patch queued for re-testing.

Retesting against latest HEAD since it has been over a year.

Here's a re-roll of beeradb's original patch against current 7.x HEAD. (I ran into the same issue in prod too...)

#6: drupal-menu_tree_check_access-520786-6.patch queued for re-testing.

This is a re-roll of rooby's patch from #6 against current D8 head. I've also swopped instances of user_access for $account->hasPermission() and got rid of the global $user from the previous patch.

Uploaded the wrong patch. This is the right one.

Not sure of the status of this issue. Also, the menu_tree_check_access() function doesn't exists anymore in current D8 HEAD.

Maybe this could still apply on D7 ?

This is outdated compared to HEAD. This code was removed.

Can this issue not still be kept open to fix the issue in D7?

not sure this APi/security change will be accepted for 7.x, but you can try.

Drupal 7 uses global $user instead of $account = \Drupal::currentUser();

In addition, you can call user_access() without having to pass in the global $user object. See previous D7 patches in this issue as an example.

Please please, can anyone create a working patch for D7?
Above patches failed!

I have a critical problem - Authors with 'view own unpublished content'-permission can not find own unpublished pages in there own books!
- Authors only possibility to find own unpublished page is to writ page-address in URL (views-list not work or the core # /admin/content
The only permission who can see the pages in list or menus is the ''Bypass content access control'!

Compromise solution found!
This issue describe a logical permission problem related to Book and core permission incompatibility. But there is very good module, view_unpublished, who solve some problem and make unpublished nodes visible to the author who did create them if you set up a Views and let a Views Display show them.

Its also good that you not need to set the permission: 'View any unpublished content' for the content type to be viewed! Views makes is possible to view the nodes through the view_unpublished module. Views is able to view all own nodes if the core permission 'view own unpublished content' is active fore the role.