chapter-three
Update preview mode docs with less-permissive permissions
Package containing the bug
next (Drupal module)
Describe the bug
From Drupal Slack:
@tjheffner:
I have a role that has these permissions, per the guide here https://next-drupal.org/learn/preview-mode/create-oauth-client#2-assign-permissions
- Bypass content access control
- Issue subrequests
- View user information
However, when I try to view draft content, I get this error with that user. I would expect bypass content access control provides all the perms needed for draft content... so I did not also grant the user the administrator role.
Path: /jsonapi/node/news_story/ ... &resourceVersion=rel%3Aworking-copy. Drupal\jsonapi\Exception\EntityAccessDeniedHttpException: The current user is not allowed to GET the selected resource. in Drupal\jsonapi\Access\EntityAccessChecker->getAccessCheckedResourceObject() (line 139 of /var/www/html/docroot/core/modules/jsonapi/src/Access/EntityAccessChecker.php).
Andy Marquis:
Assigning the administrator role just seemed like an extra potential security risk so thats why i didn’t. I havn’t had any issues previewing from at least within my local environment at all for content in any moderation state.
@tjheffner:
figured it out, this list of permissions without the administrator role works for all preview cases: permissions:
- 'access content'
- 'access user profiles'
- 'issue subrequests'
- 'view all revisions'
- 'view any unpublished content'
- 'view latest version'
- 'view media'
Expected behavior
Docs should not recommend adding admin role to the next-drupal user as that is against security best practices.
