Stephanie Völz
Currently, any user with
find
or
findOne
permission on a content-type can access draft entries by using the
status
parameter (e.g.,
status: DRAFT
in GraphQL or
status=draft
in REST).
This makes it difficult to keep unpublished content private, as there's no built-in way to control draft access per role.
### Suggested Solution
It would be great to have a separate permission for accessing draft content, something like "find drafts" or "findOne drafts" in the role settings. This way, admins could decide who can view unpublished content without affecting regular read permissions.
### Use Case
Draft entries often contain work-in-progress content that shouldn't be visible to end users. Currently, anyone with a valid API token or public access can query draft content, which could lead to unintended exposure of sensitive or unfinished information.
### Current Workaround
Currently, the only way to prevent this is by implementing a custom middleware, but this feels like something that should work out of the box. The expectation with Draft & Publish is that content becomes visible once it's published — not before.