I have TAC and TAC Lite installed. I read the discussion on using Taxonomy Access Control with multi-category nodes (nodes that have more than one vocabulary): http://drupal.org/node/68883

I also read the TAC Help which describes how. with multiple category nodes, you can allow access only if terms in both categories match. This works as documented when the access is defned in TAC for a user role.

That is: A user can only access a multi-category node if he has terms that match both Category A and Category B.

However, when acess for a user is defined in TAC Lite, it does not work. That is, if I have a node that has two categories, and a user who has a role (with access defined using TAC) that does not match Category A, but has a TAC Lite vocabulary term defined that does match Category B, then the user is given access to the content.

(I followed the instructions for multi-category access and verified that when the terms are set using TAC, access is granted/denied as documented in TAC Help).

Maybe this is not a bug. If it is not, is there a way to modify the TAC Lite module so that it complies with the TAC Multi-Category permission scheme (i.e., do not allow access unless both Category A and Category B are true).

Thanks!

Comments

Dave Cohen’s picture

Dave Cohen commented
Status: Active » Closed (won't fix)

I don't see this as a bug. It sounds like a cool feature that TAC provides. And therefore a good reason to use TAC instead of TAC Lite. Any reason you have both installed?

As far as TAC Lite is concerned, the user can see a node if the node has any term which grants them access. If the node has more than one term, it behaves the same whether those terms are from a single vocabulary or different vocabularies.

TAC Lite has a primary goal of remaining simple to implement, administer, and understand. There is no point in duplicating the features of TAC (because TAC is already there).

Feel free to re-open this issue if I'm totally missing something.

somebodysysop’s picture

somebodysysop commented

TAC Lite is a great tool, which is why I have to use it. I need to be able to assign permissions to individual users. Therefore, I have one category that is set at the user level, a second that is set on the role level. The user should have both terms before he is allowed access to content.

So, I HAVE to use TAC Lite.

Could you point me to the function(s) in TAC Lite that I could look at in order to see if I could make some easy modification (pipe dream) that would allow for denying access unless both categories in a node are true?

Thanks!

Dave Cohen’s picture

Dave Cohen commented

I think this will not be easy.

First read up on the node_access system: http://api.drupal.org/api/5/group/node_access

When saving a node, drupal calls hook_node_access_records. So maybe you could change tac_lite_node_access records to return something more complicated than it does now. Something based on two terms from different vocabs. When viewing, drupal calls hook_node_grants. When that is called, you don't know what node is being viewed (could be many). Make sure that these two hooks are both modified to return the same things.

Or, you might have better luck writing your own hook_db_rewrite_sql. In drupal 5, the forces that be decided node access modules should not have to do that anymore, hence the new scheme involving the hooks above. But hook_db_rewrite_sql give you lots of control. Take a look at how node.module uses it. Maybe you could hack something into there.

If I were doing this, I think I'd create new types of grants. Instead of just 'view', I'd make 'view_X' and 'view_Y' where X and Y are the vocabulary IDs. Then I'd make a hook_rewrite_sql, or modify the one in node.module, so that it requires view_X and view_Y to be granted.

I really don't know what, if anything, will work best. It's going to take some experimentation.