[5.x] Only apply the published filter when not in preview mode (#11652)

TheBnl · jasonvarga · web-flow · commit 56f0f31fdb1c · 2025-04-25T16:59:42.000-04:00
Co-authored-by: Jason Varga &lt;jason@pixelfear.com&gt;
diff --git a/src/GraphQL/Queries/EntryQuery.php b/src/GraphQL/Queries/EntryQuery.php
@@ -69,7 +69,7 @@ public function resolve($root, $args)
             $query->where('site', $site);
         }
 
-        $filters = $args['filter'] ?? null;
+        $filters = $args['filter'] ?? [];
 
         $this->filterQuery($query, $filters);
 
@@ -107,7 +107,7 @@ public function resolve($root, $args)
 
     private function filterQuery($query, $filters)
     {
-        if (! isset($filters['status']) && ! isset($filters['published'])) {
+        if (! request()->isLivePreview() && (! isset($filters['status']) && ! isset($filters['published']))) {
             $filters['status'] = 'published';
         }
 
diff --git a/tests/Feature/GraphQL/EntryTest.php b/tests/Feature/GraphQL/EntryTest.php
@@ -4,6 +4,7 @@
 
 use Facades\Statamic\API\FilterAuthorizer;
 use Facades\Statamic\API\ResourceAuthorizer;
+use Facades\Statamic\CP\LivePreview;
 use Facades\Statamic\Fields\BlueprintRepository;
 use Facades\Tests\Factories\EntryFactory;
 use PHPUnit\Framework\Attributes\DataProvider;
@@ -755,4 +756,44 @@ public function it_only_shows_published_entries_by_default()
                 'title' => 'That will be so rad!',
             ]]]);
     }
+
+    #[Test]
+    public function it_only_shows_unpublished_entries_with_token()
+    {
+        FilterAuthorizer::shouldReceive('allowedForSubResources')
+            ->andReturn(['published', 'status']);
+
+        $entry = EntryFactory::collection('blog')
+            ->id('6')
+            ->slug('that-was-so-rad')
+            ->data(['title' => 'That was so rad!'])
+            ->published(false)
+            ->create();
+
+        LivePreview::tokenize('test-token', $entry);
+
+        $query = <<<'GQL'
+{
+    entry(id: "6") {
+        id
+        title
+    }
+}
+GQL;
+
+        $this
+            ->withoutExceptionHandling()
+            ->post('/graphql', ['query' => $query])
+            ->assertGqlOk()
+            ->assertExactJson(['data' => ['entry' => null]]);
+
+        $this
+            ->withoutExceptionHandling()
+            ->post('/graphql?token=test-token', ['query' => $query])
+            ->assertGqlOk()
+            ->assertExactJson(['data' => ['entry' => [
+                'id' => '6',
+                'title' => 'That was so rad!',
+            ]]]);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ public function resolve($root, $args)`
`69`	`69`	`$query->where('site', $site);`
`70`	`70`	`}`
`71`	`71`
`72`		`- $filters = $args['filter'] ?? null;`
	`72`	`+ $filters = $args['filter'] ?? [];`
`73`	`73`
`74`	`74`	`$this->filterQuery($query, $filters);`
`75`	`75`
`@@ -107,7 +107,7 @@ public function resolve($root, $args)`
`107`	`107`
`108`	`108`	`private function filterQuery($query, $filters)`
`109`	`109`	`{`
`110`		`- if (! isset($filters['status']) && ! isset($filters['published'])) {`
	`110`	`+ if (! request()->isLivePreview() && (! isset($filters['status']) && ! isset($filters['published']))) {`
`111`	`111`	`$filters['status'] = 'published';`
`112`	`112`	`}`
`113`	`113`