Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[4.x]: User's can't delete their own unpublished drafts without the delete entries permission #14294

Closed
MoritzLost opened this issue Feb 5, 2024 · 3 comments
Closed

[4.x]: User's can't delete their own unpublished drafts without the delete entries permission #14294

MoritzLost opened this issue Feb 5, 2024 · 3 comments
Assignees
@brandonkelly
Labels
bug craft4

Comments

@MoritzLost
Copy link
Contributor

What happened?

Description

We just noticed that users can't delete their own unpublished drafts unless they have the Delete entries permission. I'm not quite sure if this a bug or a feature request – feel free to convert to a discussion if it's working as intended.

Steps to reproduce

  1. Create a user with the following permissions (for any section):

Screenshot 2024-02-05 at 14 46 08

  1. Impersonate the user and create an unpublished draft.
  2. The user can't delete the unpublished draft.

Expected behavior

The view permission gives user's the ability to create drafts. They can also delete their own drafts, but only if they are not the canonical entry. If the draft is canonical (i.e. an unpublished draft without a published canonical entry), they can not delete those drafts.

An unpublished draft is sort of in between published entries and drafts, since they're canonical (like published entries) but only drafts (like non-canonical drafts). So whether deleting them should require only the View permission or also the Delete permission is up for debate.

I would argue that the View permission should suffice to delete your own unpublished draft. The current behaviour is inconsistent, since you can always delete your own non-canonical drafts, but you can't delete unpublished drafts. There's also no way to allow users to delete their own unpublished drafts without also giving them the ability to delete published entries. I know Craft technically doesn't distinguish between unpublished and published anymore, only between draft/non-draft and canonical/non-canonical, but from a user perspective it's a bit inconsistent.

As an alternative, maybe the permission can be split into two permissions, one to delete unpublished drafts and one to delete published entries?

Craft CMS version

4.7.1

PHP version

8.2

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

No response
@brandonkelly brandonkelly self-assigned this Feb 5, 2024
@brandonkelly
Copy link
Member

Thanks for pointing that out! Unpublished drafts are meant to mimic forms for new sections/fields/etc., where nothing is actually saved yet, until you submit the form. So it would definitely be expected that a user could delete their own unpublished draft, in the same way that you can just decide to not submit a form for a new section before you’ve saved it.

Just fixed for the next release.

@MoritzLost
Copy link
Contributor Author

@brandonkelly Great, thanks! Much more consistent this way 👍

@brandonkelly
Copy link
Member

Craft 4.7.2 is out with that fix. Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandonkelly brandonkelly

Labels
bug craft4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brandonkelly @MoritzLost