fix(example): Add query access check for unpublished articles (#1333)

Author: klausi

examples/graphql_example/src/Plugin/GraphQL/DataProducer/QueryArticles.php

@@ -7,6 +7,7 @@
 use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
 use Drupal\graphql\Plugin\GraphQL\DataProducer\DataProducerPluginBase;
 use Drupal\graphql_examples\Wrappers\QueryConnection;
+use Drupal\node\Entity\Node;
 use GraphQL\Error\UserError;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 
@@ -94,7 +95,13 @@ public function resolve($offset, $limit, RefinableCacheableDependencyInterface $
     $entityType = $storage->getEntityType();
     $query = $storage->getQuery()
       ->currentRevision()
-      ->accessCheck();
+      ->accessCheck()
+      // The access check does not filter out unpublished nodes automatically,
+      // so we need to do this explicitly here. We don't want to run access
+      // checks on loaded nodes later, as that would then make the query count
+      // numbers wrong. Therefore all fields relevant for access need to be
+      // included here.
+      ->condition('status', Node::PUBLISHED);
 
     $query->condition($entityType->getKey('bundle'), 'article');
     $query->range($offset, $limit);