The Domain Access module is a node_access() module. For additional developer information, see http://api.drupal.org/api/group/node_access.

By design, the module sets access to content based on the current domain that a user is viewing. If a user is at one.example.com, they can see content that is assigned to that domain or to all domains.

Assigning Domain Access

Users who have the 'Set domain access status for all content' permission can assign any node to any or all registered sites. During node editing, a series of options will be displayed as checkboxes or a multiple select list under the heading "Domain access options":

  Publishing options:
    []  Send to all affiliates
    Select if this content can be shown to all affiliates. This setting will
    override the options below.
  Publish to: * (required)
    [] Drupal
    [] One site
    [] Two site
    Select which affiliates can access this content.

If you select 'Send to all affiliates,' the node will be viewable on all domains for your site. Even if you select this option, you must select at least one domain for the node.

When creating new content, the currently active domain will be selected for you by default. You can change this behaviour with the Content Defaults feature in the Advanced Module Configuration.

For users who do not have the 'Set domain access status for all content' permission, the assignment will be done through a hidden form element. By default, the node will be assigned and published to domains which are setup in the Content Defaults settings form.

Editor Access

Whenever a user account is created and the Domain Access module is active, user accounts will automatically be tagged with the name of the active domain from which they registered their account. Users with the 'Set domain access status for all content' permission may assign individual users to specific domains in the same way that nodes can be defined.

These user settings are used to determine what domains an editor belongs to. Users with the 'Edit any content on assigned domains' permission can edit any node that belongs to the same domain that the user does. (Remember that users and nodes can both belong to multiple domains.) However, nodes that are assigned to 'all affiliates' do not grant editing privileges to all editors.

Realms

This section contains technical details about Drupal's node access system.

In Domain Access, the following realms are defined:

  • domain_all - Indicates whether the view grant should be passed for all nodes on a given page request. Used in cases such as Search and MySite to enable aggregation of content across affiliates. The only valid nid and gid for this grant are zero (0).
  • domain_site - Indicates whether a node is assigned to all affiliates. The only valid grant id for this realm is zero (0).
  • domain_id - Indicates that a node belongs to one or more registered domains. The domain_id key is taken from the {domain} table and is unique.

Grants

In each of the realms, there are specific rules for node access grants, as follows:

  • domain_all - In some specific cases, like Search or the user's Tracker page we want people to be able to see content across all affiliates. Only the domain_all grant is assigned in these cases. This grants only 'grant_view'.
  • domain_site - By design, all site users, including anonymous users, are granted access to the gid '0' for realm 'domain_site'. This grant allows all users to see content assigned to 'all affiliates'. This grants 'grant_view' to all users. Users who belong to the current domain and are assigned the 'Edit any content on assigned domains' or 'Delete any content on assigned domains' permissions will be given 'update' and 'delete' grants, respectively.
  • domain_id - When a user, including anonymous users, views a page, the active domain is identified by the registered domain_id. For that page view, the user is granted gid of the active domain_id for the realm 'domain_id'. This allows content to be partitioned to one or many affiliates. This grants only 'grant_view', since 'grant_edit' would allow content to appear to some users regardless of the active domain.

Warnings

Node access in Drupal is a permissive system. Once a grant has been issued, it cannot be revoked. As a result, it is possible for multiple editors to be able to edit or delete a single node. Here's the use case:

  • Node 10 (a book page) is assigned to one.example.com and three.example.com
  • User A is an editor for one.example.com.
  • User B is an editor for two.example.com
  • User C is an editor for three.example.com

Under this scenario, User A and User C will be able to edit node 10.

To be more clear about Drupal permissions:

  • User D has 'Bypass content access control' permission for the site.
  • User E has the 'Book page: edit all content' permission for the site.

In this case, User D and User E can also edit or delete node 10. This is why only super-admins are given 'Bypass content access control' and 'TYPE: edit all content' permissions with the Domain Access module. If you want your affiliate editors to have limited permissions, only grant them 'Edit any content on assigned domains'.

However, you still need to give users the 'TYPE: Create new content' permission normally. Domain Access does not affect node creation.

Since Domain Access implements node_access() fully, if you uninstall the module using Drupal's uninstall sequence all node_access entries should be reset to grant 'grant_view' to realm 'all' with gid '0'.