There are basically two problems with the 8.5.8 and 8.6.2 security changes to Content Moderation:
- They introduce a new method to an existing interface. There is at least 1 contributed module that I know of that has an implementation of this interface -- Workflow Participants -- and another one that has an issue to include it -- Group. Any site that attempts to take the security update while one of these is enabled will encounter immediate, site-wide fatal errors due to the missing method implementation.
- They don't provide sufficient information for existing use cases. Both of those contributed modules require the context of the actual content entity in order to determine if a transition is valid, but the new method that was introduced doesn't offer that information. As a result, neither of these modules can even implement the new method properly.
Possible solutions
- Remove the new method from the interface. There is already a
getValidTransitions()method on the interface. The constraint validator can simply get all the valid transitions and then check if the new state is among them. Slightly less efficient, but no API change and no compatibility issues. - Adjust the method arguments from "Workflow/Current state/New state/User" to just "Entity/New state/User". (Both the workflow and the current state can be derived from the entity.) Adjust the implementation of Content Moderation's implementation accordingly.
- Introduce the content entity as an optional 5th argument to the method, making note that it will end up being required in a future version of Drupal.
Based on discussion, option #3 is the route that best complies with Drupal policies around API changes, so that is what has been chosen.