Restrict a user to only view content that they have posted?
Hi,
The site I'm designing involves users creating a node by ticking checkboxes and filling in fields (using flexinode). This is then intecepted by the staff of the company who the website is for, and then send a response back to the user, possibly through the comment system. However, I want the users to view only what content they have posted, not every other users' content (because some of the content may be sensitive), but at the same time being able to view comments that have been posted on that particular users' node by a member of staff. I've tried looking at the access control but if I uncheck "access content" in "node module" this will then display an unauthorised message to the user when they come to create a node.
I've also looked at node_privacy_byrole but this seems to be limited in the same way.
So does anyone know of how I could limit the user to viewing just his or her own posted content (and a comment/response from a member of staff), and not anyone elses?
Thanks very much in advance!
I think access control for
I think access control for "own nodes" is currently a difficult problem in Drupal.
One somehow awkward solution is to make the content type "unpublished" by default and then let users use the workspace module to list and edit their own posts. It is awkward because: (a) When they click to view their listed posts they get a "permission denied" but they can click "edit" and edit them. (b) The staff would need to have "administer nodes" permission which is too strong.
Another somehow heavy solution is to create a personal private OG group for each user with the og module, with members only one user and all the staff.
I guess you don't want the users to be able to make their nodes private or public themselves, so any access control "by node" at node creation time is also ruled out. The only other viable solution I can think (with the existing modules) is a taxonomy vocabulary containing the user names as terms where users would be only allowed to view/post in the category with their own name. Perhaps tac_lite can do this, but it is convoluted.
There is space for a useful access control module here, perhaps an extension of the blog module to make personal blogs private (allowing for exceptions for some roles).
I am curious myself if someone has thought of any other solutions.
edited
Never mind on CCK.
A hackish way of doing it is to install the workflow module; along with na_arbitrator and its "sample module," workflow access. You can then create a one-state workflow for your Flexinode content type and grant only the author (and admins) view privs for the state. Awkward, but it will work--without any access denied errors.
=======================
Just another newbie.
XHTML Strict: it's the way to be.
=======================
Feature request: HTML Source Formatting in TinyMCE
Thanks very much for the
Thanks very much for the responses folks, really appreciated.
Xjm, I've installed workflow and na_arbitrator, and though I find it very confusing I think (or thought?) I may have got the hang of it. I've made a single state workflow, named it "privacy" and made the access available to author and "staff". I have tracking enabled in the profile, which seems to obey the access controls which are established in the work flow - only the authors nodes are displayed. However, if I promote all of the nodes, by default, to the front page, users can read every other node on there, which they shouldn't be allowed to do. Also, if I'm logged in as a user (not admin) and manually type in the address, for example /node/6, it can be viewed, even if it wasn't published by my account.
I could disable promote to front page but I thought it would be easier for staff to find the newest nodes, so I don't really want to do that. Plus this doesn't eliminate the possibility of a user being able to guess at a node number and type it in, and be able to view it. Any ideas as to how I can sort this out?
Hmm, sounds like something
Hmm, sounds like something else is telling Drupal that the user can access the nodes, perhaps before Drupal checks the
node_accesstable.Here's a trap I fell into when I first set up my workflows: I had my workflow set up to only allow the author to edit a document when it was in a review state, but a certain role could edit it when it was in a revision state. The problem I ran into is that even though my workflow said only the author could edit in the review state, others with that particular role still could.
After I did a bit of testing, I realized that I had specified on the main access control page (admin/access in 4.7) that the role in question had generic edit permissions for that content type. So the module's access control (in this case CCK's) was overriding the workflow access control.
node.modulehooks the current module's access handler and returns with that (if defined) before it checks in thenode_accesstable. That means if the specific module returns some access control info for the node, your workflow access controls get ignored.The solution I used was to simply nuke all access control for that role on the main access control page--just unchecked all the boxes. Then, the module didn't override the
node_accesstable, and the options set in the workflow module took over. (It seemed an insanely simple solution after all the time I spent scouring through the node module to understand what made access control tick.) So, in the end, it worked out and users get "access denied" when they try to view or edit nodes that I said in the workflow access control they shouldn't--but no errors when they view/edit nodes I said they could.So, in light of what I ran into, I'd recommend checking for any other access control on the module level that might be overriding what you specified with your workflow. Maybe somewhere a module is overriding the workflow_access before it can even go into effect.
(Edited for clarification:
node_accessdatabase table versus access control page.)=======================
Just another newbie.
XHTML Strict: it's the way to be.
=======================
Feature request: HTML Source Formatting in TinyMCE
Just wondering if you came
Just wondering if you came up with a good workaround for this? I'm in a similar situation now where I want users to only view the content they have submitted (apart from admin) - any ideas?
Thanks
Pete
Pages only viewable by author?
I have the same problem. I want my node to be visible only to authors. Still trying to figure it out.
http://drupal.org/node/219138
Thanks
Uma
Workflow seems to work for me
For drupal 6.4 workflow RC1 seems to do the trick. You can set it so nodes are only visible by authors very easily and cleanly.
For Drupal 5 there is
For Drupal 5 there is http://drupal.org/project/private Simply a "Private" check box for the author.