I force users to select a term from a vocabulary on upload. I want to allow a certain role to select only one particular term out of the vocabulary (other roles can select any of the terms). This seems like a perfect job for TAC. However, I have been unable to restrict term selection on node creation. I have taken screenshots of my TAC permissions and my node permissions; as you should see I want to allow the role in the far right column of the node permissions.
To reiterate: though it seems to me that this role should only be able to create content with the 'Senior speeches' term applied, users in this role can add any term from this vocabulary to content they create. It appears that TAC just isn't doing anything :/
6.22 w/6.x-1.3 FWIW; I disabled/re-enabled TAC to no effect. I haven't uninstalled/reinstalled it or uninstalled it/replaced it with -dev since the commits are so close together.
Any help would be deeply appreciated.
Comments
Comment #1
xjmSo with the configuration above, the Senior Speeches Blog Moderator is able to select any term in the Primary Links vocabulary? Is that correct?
A couple questions:
Also, there is an outstanding issue (#112307: Cannot create node in taxonomy term without create permission for parent term) that actually prevents create permissions from working without the parent term having permissions. So, the user would need create permissions on "Blog" as well if it were working as expected.
Comment #2
Alphabool commentedSo with the configuration above, the Senior Speeches Blog Moderator is able to select any term in the Primary Links vocabulary? Is that correct?
Yes absolutely.
Any account with Senior Speeches Blog Moderator will also have the authenticated user role. Can you check that configuration, post a screenshot of the authenticated role config, and/or verify that no other roles are granting create permission to these accounts on this vocabulary?
In this permissions screen the authenticated user role is second from the left. If you don't want to look, it only has 'access content', 'delete own blog content', and 'edit own blog content' checked. I also tried unchecking the latter two but that made no difference.
Is this a freetagging vocabulary?
No.
Do you have any modules or custom code altering the rendering of the taxonomy form on the node?
I have Hierarchical Select installed but I tried disabling it (but not uninstalling it entirely) to no effect. I also have Override Node Options installed but I disabled it (again, didn't uninstall it) to no effect.
What is the expected behavior? Is this a hook_form_alter implementation or something different? Have you, or anyone else, been able to deny node creation in any case? I can't, even when I disable creation for all terms in a vocabulary....
Thank you very much for the help, xjm. Any further ideas you have would be tremendous.
Comment #3
Alphabool commentedbump
Comment #4
xjmYou still have not provided me with a screenshot of your Taxonomy Access Configuration for authenticated users or a confirmation that they do not have create checked, or whether these users have any additional roles.
Comment #5
Alphabool commentedAuthenticated users don't have 'create' checked: http://i.imgur.com/NGX2Q.png. Users with role 'Senior Speeches Blog Moderator' have no other role other than the base 'authenticated user'.
Comment #6
xjmI still cannot duplicate this. :( I have my test environment configured to match your setup:
With this setup, no terms are listed, because the role does not have create permissions for the parent term:
Content type submission form
When I add the Create grant to the "Blog" term, the role is properly granted access only to that and the child term:
There are only two other things I can think of, and I'm sort of grasping at straws at this point:
node/add/typeornode/123/edit?(Edit: Note that the account does not actually have Update grants in the screenshots here, but I was testing at node creation anwyay, and I confirmed that granting or removing update did not alter the behavior.)
Comment #7
xjmComment #8
xjmPlease provide steps to reproduce from a clean install, since I cannot reproduce this.
Comment #9
xjmComment #10
Alphabool commentedI am glad to be able to say that after returning to this problem a few months later, I created a whole slew of new roles and applied granular TAC permissions with success! The bizarre thing is that the role that I was having trouble with still refused to behave, but once I deleted it and replaced it with a new role with the exact same settings it worked! Sorry to cause you all that trouble, xjm.