A couple of important points should be mentioned in the docs.
1. When initially set up the two settings are added for the Anon and Auth roles - these roles are both granted view permissions on their global lines.
This is probably because if you add TAC and don't set these lines then suddenly none of the content will be available to anon and auth users.
But it goes against what TAC is doing - which is to have content basically disabled - and then you grant permissions as required.
To work with TAC you would generally have to set both of these to Deny - and then start to grant permissions for various roles/terms.
2. VERY IMPORTANT - The global line applies to nodes with no tags AND TO ALL OTHER NODES NOT COVERED BY ANY OF THE OTHER LINES.
So if you set it to Deny it will Deny access to nodes with no tags - but also to nodes which have tags and aren't covered by any of the other TAC lines set up for the role.
The problem is that if the defaults are set to allow then effectively you allow access to everything - and then start to try to deny by role/term etc. This is much more difficult conceptually than denying everything and then allowing based on role/term etc.
Comments
Comment #1
bailey86 commentedAlso.
It may be obvious after using TAC but this might be worth mentioning.
If you enable a role then all content is not accessible to that role unless you enable it the access.
Roles which have not been enabled will still be able to access content by default.
Comment #2
xjmI'm pretty sure all of the information above is already in the documentation:
http://drupal.org/node/31601
I added a parenthetical:
I think it goes without saying that if you want access to global or vocabulary defaults to be "deny" for view, then the default of "allow" won't work. People aren't going to just install the module and not configure it. I suppose I could add a section about the initial installation but it seems self-evident to me.
What you say about needing to set global or vocab defaults to deny to get TAC to work isn't true. The defaults only apply to nodes that aren't in controlled terms. You can have a global default of "allow" and it will not override a "deny" for a specific term.
Also:
This simply isn't true, so I'm not sure what you're getting at.
Comment #3
xjmMaybe I'll try to add a venn-type diagram illustrating how the defaults work, if it's not clear from the text.
Comment #4
bailey86 commentedHi,
I think you're right in that the docs explain it all - I think I was caught out by the anon and auth roles having 'View' Allowed. This meant that when I started trying to Deny access and this didn't work.
Here are my notes about the set up - please use/modify/ignore them as you like. And before I forget - thanks for this excellent module - we're using it on an Ubercart setup to limit which products certain roles can see.
Notes:
For TAC to be able to control the viewing of nodes for a role first the access content permission must be enabled via the permissions admin form. TAC then acts as a layer on top of the Drupal permissions.
NB - Although a role has access content permission enabled the TAC layer then *denies access by default*.
(The only roles which would be able to view content are those with the Drupal permissions to administer content which overrides the TAC viewing access control).
So if only the basic anonymous and authenticated roles are enabled - and they only have a global line in each which is set to Ignore then most roles would be denied viewing access.
However - THIS IS IMPORTANT - the default set up of TAC sets the anonymous and authenticated roles to Allow viewing of nodes by default. This will effectively allow viewing of all nodes by all roles. This is because the global default line applies to all nodes with no tags and all nodes with tags which aren't controlled by another line.
Also note, the Allow permissions are OR'd across roles - so if you try to deny access for a particular role then it will still see the nodes as the authenticated role has View permissions set to Allow.
A good way forward is to set both anon and auth roles to Ignore global view permissions. This will deny viewing by default. Then create roles and add permissions to be able to view nodes based on the Taxonomy terms.
If it is needed to allow anonymous users to view certain content then create a taxonomy vocabulary of 'Roles allowed access' and create a term called Anonymous. Then on the nodes which need to be viewed by anonymous visitors set the Taxonomy term to 'Anonymous' - and then in the TAC under the anonymous role add in a line to Allow viewing for the term 'Anonymous'.
Hope this helps!
bailey86
Comment #5
xjm