Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update docs around Drupal permissions for Preview Mode #584

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 9 additions & 5 deletions www/content/tutorials/preview-mode/create-oauth-client.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,17 @@ As from `next-drupal 1.5`, user roles are used for OAuth scopes. The scopes are

Next, assign the following permissions to the newly created role.

- Bypass content access control
- Issue subrequests
- View user information
- 'access content'
- 'access user profiles'
- 'issue subrequests'
- 'view all revisions'
- 'view any unpublished content'
- 'view latest version'
- 'view media'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried out these new permissions on a Drupal 10.1 site and ran into a snag.

What version of Drupal did you use to create this list?

In Drupal 10.1 some of those permissions don't exist. Best I can tell the permissions are:

  • 'View all media revisions'
  • 'View media'
  • 'View own unpublished media'
  • 'View all revisions'
  • 'View published content'
  • 'View own unpublished content'
  • 'Issue subrequests'
  • 'View user information'

What heading is "view latest version" under? I don't see anything in 10.1 that matches that.

Copy link
Author

@tjheffner tjheffner Nov 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These were from a Drupal 9.5.11 site.

On our site, view latest version is underneath the Content Moderation heading, and was required for viewing forward revisions (i.e. new draft revision of previously published content) in our setup

Screenshot 2023-11-29 at 10 14 27 AM

Also, the preview user will likely still want view any unpublished content, not necessarily just their own

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On our site, view latest version is underneath the Content Moderation heading

Aha! I didn't have that installed. That module is also required for the "View any unpublished content" permission. Without that module, the only perms that mention "unpublished" are the ones under the "Node"/"Media" modules for "own unpublished".

And, yes, having the "View any unpublished content" permission is required to allow the Next.js User to view unpublished content owned by regular content editors.

I think we should add the module heading for each of these permission so that users (like me!) don't get confused about which permissions to use. Adding the module heading will also give a hint on how to get that permission if it isn't listed on a user's website.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm… I still don't see a 'access content' permission even on a Drupal 9 site. I'm using Node module's 'View published content' permission instead.

I've tested these permissions on a Drupal 10.1 site and they seem to be sufficient:

- 'Content Moderation: View any unpublished content'
- 'Content Moderation: View the latest version'
- 'Media: View all media revisions'
- 'Media: View media'
- 'Node: View all revisions'
- 'Node: View published content'
- 'Subrequests: Issue subrequests'
- 'User: View user information'

Copy link
Author

@tjheffner tjheffner Dec 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I think some of the confusion is my list is coming from the exported config (uses machine names of perms), and the permissions list in the UI doesn't surface those, using the titles instead.

access content is originally coming from Core's system.permissions.yml, and is equivalent to View published content

# Note that the 'access content' permission is moved to the Node section of the
# permission form when the Node module is enabled.
access content:
  title: 'View published content'


<Callout>

We are assigning the _Bypass content access control_ permission to allow Next.js to access unpublished content and revisions.
We are assigning the _view all revisions_ and _view any unpublished content_ permissions to allow Next.js to access unpublished content and revisions.

This scope is only going to be used when making authenticated requests from Next.js to Drupal.

Expand All @@ -55,7 +59,7 @@ const articles = await drupal.getResource(

## 3. Create User

Add a new user at `/admin/people/create` and **assign them all the roles that are going to be used for scopes, including the administrator role and the role we created above**.
Add a new user at `/admin/people/create` and **assign them all the roles that are going to be used for scopes, including the role we created above**.

---

Expand Down