Description
Package containing the bug
next (Drupal module)
Describe the bug
From Drupal Slack:
I have a role that has these permissions, per the guide here https://next-drupal.org/learn/preview-mode/create-oauth-client#2-assign-permissions
- Bypass content access control
- Issue subrequests
- View user information
However, when I try to view draft content, I get this error with that user. I would expect bypass content access control provides all the perms needed for draft content... so I did not also grant the user the administrator role.
Path: /jsonapi/node/news_story/ ... &resourceVersion=rel%3Aworking-copy. Drupal\jsonapi\Exception\EntityAccessDeniedHttpException: The current user is not allowed to GET the selected resource. in Drupal\jsonapi\Access\EntityAccessChecker->getAccessCheckedResourceObject() (line 139 of /var/www/html/docroot/core/modules/jsonapi/src/Access/EntityAccessChecker.php).
Andy Marquis:
Assigning the administrator role just seemed like an extra potential security risk so thats why i didn’t. I havn’t had any issues previewing from at least within my local environment at all for content in any moderation state.
figured it out, this list of permissions without the administrator role works for all preview cases:
permissions:
- 'access content'
- 'access user profiles'
- 'issue subrequests'
- 'view all revisions'
- 'view any unpublished content'
- 'view latest version'
- 'view media'
Expected behavior
Docs should not recommend adding admin role to the next-drupal user as that is against security best practices.