Skip to content

Entity Query access control to decide if users can reference content. #319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ekes wants to merge 4 commits into
base: 2.x
Choose a base branch
from
Open

Entity Query access control to decide if users can reference content. #319

ekes wants to merge 4 commits into from

Conversation

@ekes
Copy link
Member

@ekes ekes commented Aug 26, 2025

#216 (comment)

Adds tests. I think they're failing, because I think they do get the content in the list.

Pushing for work done. @andybroomfield

ekes added 2 commits August 26, 2025 14:33
@ekes
Entity Query access control to decide if users can reference content.
3770579 
#216 (comment)

Adds tests. I think they're failing, because I think they do get the
content in the list.
@ekes
Unused use statement.
284a349
@andybroomfield
Copy link
Contributor

andybroomfield commented Aug 27, 2025

This is what I am seeing with this patch.

Testing with an unpublished landing page
Screenshot 2025-08-27 at 3 41 38 pm

Before: Editor cannot reference unpublished landing pages.
Screenshot 2025-08-27 at 3 41 46 pm
(Nothing in the entity reference drop down and this can't be saved).

After: Unpublished landing page appears in drop down autocomplete.
Screenshot 2025-08-27 at 3 49 19 pm

And I can link on the landing page.
Screenshot 2025-08-27 at 3 49 59 pm

@ekes
Copy link
Member Author

ekes commented Aug 27, 2025

What the tests are at least failing on is that users that don't have the permission to see the unpublished content also see it.

@andybroomfield
Copy link
Contributor

andybroomfield commented Aug 27, 2025

@ekes ok, looking at that. I took away the editors view any unpublished content and checked again, whilst they can't see the unpublished landing page, it still appears in the list.
Is the check being run here for view or view_label as I know that was a recent Drupal change.

@andybroomfield
Copy link
Contributor

andybroomfield commented Aug 27, 2025

I think the patch we may have added Users without 'bypass node access' permission can't reference unpublished content even if they have access to it might be causing a conflict with this.

Maybe the safer option is to leave the existing code but add a check for hasPermission('view any unpublished content') alongside the checks for node acesss?

@andybroomfield
Copy link
Contributor

andybroomfield commented Aug 27, 2025

Interesting that whilst I could save it, going back to the edit page gave me this.... (Parent is now restricted access).
Screenshot 2025-08-27 at 6 35 12 pm

@andybroomfield
Copy link
Contributor

andybroomfield commented Aug 27, 2025

Just noting that a similar fix was committed for menu items in Drupal 10.1 so whilst I don't know why entityAccess(TRUE) is not filtering, adding !$this->account->hasPermission('view any unpublished content') to the check looks like the correct way forward.

@andybroomfield
Restore the previous node_access check with addition of view any unpu…
ef6e1db 
…blished permission

In the entity reference service selector.
Restore previous node_access checking, and restrict to published nodes if the checks
do not pass. Additionally, check if the user has permission view any unpublished content
and allow access to unpublished nodes if that is the case.
@andybroomfield andybroomfield force-pushed the fix/2.x/216-admin-unpublished-access branch from e1f27f3 to ef6e1db Compare August 27, 2025 20:25
@andybroomfield
Apply view any unpublished content permission fix to EntityChildRelat…
7023a20 
…ionshipsUi

Apply same limit to the widget used to find referenced child pages.
@andybroomfield andybroomfield force-pushed the fix/2.x/216-admin-unpublished-access branch from 2ed8dc8 to 7023a20 Compare August 28, 2025 10:47
@andybroomfield
Copy link
Contributor

andybroomfield commented Aug 28, 2025

@ekes I've tried to restore the previous logic and add the permission check for 'view any unpublished content' but that seems to have made the tests fail. From manually testing though it appears to be functional, with unpublished landing / service pages hidden if the user does not have any of the right access permissions.

andybroomfield
andybroomfield previously approved these changes Aug 29, 2025
View reviewed changes
@finnlewis finnlewis self-requested a review September 9, 2025 11:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andybroomfield andybroomfield andybroomfield left review comments

@finnlewis finnlewis Awaiting requested review from finnlewis

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ekes @andybroomfield