Review date goes to access denied if user does not have permission to publish

[andybroomfield]

Some roles at BHCC don't have the publish transition, but can edit others site content. When a content type has the review date field, the review toggle is visible to the user without the publish workflow state permission. Toggling this and selecting I have reviewed this content and saving leads to a 403 error, presumably as it is trying to publish the page.

There are two isses at play here.

1. The 'I have reviewed this content' should only be visible if the page is currently in the review state, otherwise it does nothing.
2. If a user does not have permission to publish, they should either :-
   • Not see the review date widget
   • It should bypass the publish workflow permission (Risky!)
   • It should trigger a different workflow state (Reviewed) that can only be reached by the review date widget.

The use case here is that at BHCC we will have directory editors who will need to edit and review directory entries, but not publish them as they need to be reviewed by comms. However they do need to tell us they are accurate and up to date on a regular basis, in which case a review date functionlity could be useful.

[andybroomfield]

This seems to effect the transition when toggling the review date when the content has not been published for the first time, so a fix could be to check the content has been published before displaying the widget. And perhaps a seperate permission to use the review date widget.

[stephen-cox]

1. The 'I have reviewed this content' should only be visible if the page is currently in the review state, otherwise it does nothing.

I don't think this is the case. It should be possible to review a piece of content before it is scheduled for review.

The simplest solution would be to hide the widget to those without the necessary permissions. Would that solve the issue here?