I actually started this odessy here: http://drupal.org/node/122209

I discovered that if my content belonged a group and is assigned a vocabulary, that a user is allowed access to the content if he either belongs to the group or has access to the vocabulary term. That should not be. A user should only be allowed access to the cotent if he BOTH is a member of the group AND has access to the vocab term.

This is similar to the multicategory node issue with TAC which was discussed here: http://drupal.org/node/68883 and is resolved in TAC Help.

I've thought this issue through, and realized that the simplest way to resolve it would be to insert some sort of logic in at the point where TAC decides if a user has permission to access content. Something like: If this node belongs to a group, check user's group access to content before allowing TAC access. Or, do NOT allow TAC access if group access is denied, or something like that.

All I am requesting here is that someone point me to the function(s) in TAC where it tells Drupal if a user has access to a particular node -- that's where I need to look in order to begin to build this logic.

Thanks for any help anyone can provide.

Comments

keve’s picture

keve commented

The basic of the whole node_access system of Drupal core, that the permissions for each node are OR-ed together. In my opinion this cannot be changed. That is If EITHER module - OG or TAC - gives access to a given node, then the node.module assign access to that node, and saves its access values to the table node_access in the database. (Modules can ONLY assign WEIGHT' to their returned permissions, but as a default OG and TAC permissions are returned with the same weight, and then permssions with the same weight are OR-ed together.)

Node.module 'communicates' with access type modules (og, tac) with hook: hook_node_access_records($node).

As of now, the setup you would like to make, cannot be done. Becasue TAC and OG are not communicating w/ each other. I have no intention to change this.
Maybe you can write your own module, which can bridge OG and TAC. It would ask both modules for permissions for a given node (w/ hook_node_access_records), and then your module ANDs toghether the permissions, and it gives its aggregate permission a lower weight. This is just an idea, i am not sure if it can be done.

somebodysysop’s picture

somebodysysop commented

An excellent idea, and I believe it can now be done: Someone has posted a snippet that modifies the node module (node_access) to use an Extensible Node Access/Authorisation capability: http://drupal.org/node/122173.

This allows me to write a permission check in the nodeapi section of TAC that could first check OG before returning TRUE or FALSE for TAC. A similar check (in reverse) would be written in the nodeapi section of OG. This, effectively, would allow the two modules to work together!

So, now all I need is a simple permission check in TAC that does not use node_access.

My final question: Is there a function in TAC that does NOT use node_acess which I could use in order to simply return TRUE or FALSE if the current user has access to the current node ($node, $op)?

Thanks so much!

keve’s picture

keve commented

taxonomy_access_node_access_records($node) returns an array, which include "view, update, delete" permissions for a given node.

keve’s picture

keve commented

An idea: The module i would write for it, would not change OG, TAC, and node modules.
It would be a simple access module. (I have no time for code writing for it)

Workflow:
When node.module calls hook_node_access_records($node) of this module, it would recall hook_node_access_records($node) of OG and TAC, then it would calculete an aggregate permssion based on these. Finally it would return the array of the aggregate permissions with higher PRIORITY (than OG or TAC).
This would cause that these values w/ higher priority are saved to table node_access. (anulling OG and TAC values).

I have not investigating this idea, but i would start in this way, i think.

somebodysysop’s picture

somebodysysop commented

I actually managed to get a scenario working that respects OG and TAC permissions. If content is tagged as private to a group, and contains private taxonomy, it can only be accessed if the user is in the group and in a role which permits access to the taxonomy term.

With the snippet described here: http://drupal.org/node/122173, it was really kind of easy. The only function I needed to modify was taxonomy_access_nodeapi, and even then I simply added the 'access' case which is only used by the snippet. I wrote my own function to return TRUE or FALSE for access.

However, I still have a problem. My modifications are triggered from "node_access", so my permissions work for everything except node listing (views, tracker, recent posts, etc...).

So now, users can list content that they can't actually access. Sigh....

Everything I've read says to look at db_rewrite_sql(). node_access was a walk in the park compared to this. Can you point me in the right direction?

Again, thanks.

keve’s picture

keve commented

Drawback of the approach you mention:
1. permissions are not saved to table node_access. (That is why, you can list the nodes).
- if values would saved to the table, you would not need to care about nodeapi, and db_rewrite_sql (node.module would do this job).
2. you have to patch the core! (IT will make you a lot of work later when updating drupal.). Also eg. TAC.

With the idea i mentioned you do not have to patch anything, BUT you have to write a separate module for it.

But, your sollution can still be done w/ hook_db_rewrite_sql. :)
(BUT you have to test it very well, afterwards).
Look into node.module how it restricts access and how it works, node_db_rewrite_sql().

somebodysysop’s picture

somebodysysop commented

When node.module calls hook_node_access_records($node) of this module, it would recall hook_node_access_records($node) of OG and TAC, then it would calculete an aggregate permssion based on these. Finally it would return the array of the aggregate permissions with higher PRIORITY (than OG or TAC).
This would cause that these values w/ higher priority are saved to table node_access. (anulling OG and TAC values).

I've already got all permissions working except for list. It sounds like, from your idea, where I need to be looking is hook_node_access_records($node). If your idea about a 3rd module used to aggregate the permissions will work, then surely modifying the existing access_records function should as well (although I agree, this is not the best strategy for long term -- but until that 3rd module gets built, this will resolve my issue for now).

Do you agree?

If so, how would you suggest I modify the taxonomy_access_node_access($node) function to respect the OG permissions as well?

somebodysysop’s picture

somebodysysop commented

I actually got up to speed on db_rewrite_sql and modified the taxonomy_access_db_rewrite_sql like this:

      $sql = "SELECT t.tid, d.vid, BIT_OR(t.grant_$op) AS grant_$op FROM {term_node} tn
INNER JOIN{term_access} t ON t.tid=tn.tid
INNER JOIN {term_data} d ON t.tid=d.tid
INNER JOIN {og_ancestry} oa ON oa.nid=tn.nid
WHERE t.rid in ('".implode("','",$rids)."') 
AND grant_$op = 1 group by t.tid, d.vid
AND oa.group_nid in ('".implode("','",$gids)."')";
// $gids are group ids of current user - so, at the very least, I should only see grants for data in groups this user belongs to.

Did the same thing for og_access_db_rewrite_sql. I only have og and tac access controls.

I tested this sql independently and it does limit the access grants to just those I want. However, when the modules are modified and uploaded (delete cache, run cron.php), my default views still list all documents even though the user does not have access. It lists tac documents that should not be listed for the user according to the db_rewrite_sql logic (same for og).

Does this mean I need to modify node_db_rewrite_sql itself, or I'm still missing some piece of this puzzle? Or, should I be looking at hook_node_access_records?

This is the final piece. of the puzzle. Once I get this, I should be home free. Thanks!

keve’s picture

keve commented

Coomment for #8:

Sorry i have no time to look to your sql query.

For node access: Insert an IF statement into taxonomy_access_db_rewrite_sql($query, $table, $field), to check if $field ==nid!

Then look at node_db_rewrite_sql, to see how it restricts the sql query for nodes.

Comment for #7:
You can make that taxonomy_access_node_access_records($node) CALLS og_node_access_records($node), and then REUTRNs aggregate permissions with HIGHER PRIORITY. So that these AND-ed values will be saved to table node_access, instead of old OR-ed values w/ og.module.

somebodysysop’s picture

somebodysysop commented

Got it working modifying only node_db_rewrite_sql. OG and TAC are working in concert. All node listings work as expected.

However, my "categories" box doesn't appear on node submission forms for any user except the admin user. I have vocabularies set up with terms for node types that my authenticated users are allowed to access.

So, my guess is that somewhere something that's supposed to tell the node_add function to place the categories box is not working in either node or taxonomy_access modules somewhere. Any ideas where that would be in the TAC module?

Thanks!

somebodysysop’s picture

somebodysysop commented

Got it.

In the taxonomy module, taxonomy_form_alter($form_id, &$form) handles the creation of the Categories box which contains the vocabulary and terms.

What I discovered in that function is that it is this line:

    $c = db_query(db_rewrite_sql("SELECT v.* FROM {vocabulary} v INNER JOIN {vocabulary_node_types} n ON v.vid = n.vid WHERE n.type = '%s' ORDER BY v.weight, v.name", 'v', 'vid'), $node->type);

which gathers the vocabularies that this user has acces to. And, it is taxonomy_access_db_rewrite_sql() (at least in my case, since I have it installed) which rewrites the sql based upon the user and his role IDs.

So, I went back to taxonomy_access_db_rewrite and modified it to get the correct role IDs, and bingo, problem solved.

Now, to put this into a separate module.... Thanks for all your help.

somebodysysop’s picture

somebodysysop commented

I've had my TAC/OG integration working fine for a few months now. I'm ready to try and move the functionality into a separate module, as you have wisely suggested, rather than patch TAC.

The only place I needed to patch TAC was in the taxonomy_access_db_rewrite_sql() function. It has been suggested to me that if I take my modified hook_db_rewrite_sql() code, place it in a custom module and weight that module higher than the taxonomy_access module, that my modified code will effectively override the taxonomy_access_db_rewrite_sql() code, provided it executes under the same conditions, i.e.

  if (!user_access('administer taxonomy') && ($field =='vid' || $field =='tid')) {

.

Do you concur?

somebodysysop’s picture

somebodysysop commented

It has been suggested to me that if I take my modified hook_db_rewrite_sql() code, place it in a custom module and weight that module higher than the taxonomy_access module, that my modified code will effectively override the taxonomy_access_db_rewrite_sql() code, provided it executes under the same conditions,

FYI: Yes, it works.

xjm’s picture

xjm
she/her
Primary language English
commented
Status: Active » Closed (fixed)
jakew’s picture

jakew commented

Has this issue been resolved? I seem to be having trouble with it on Drupal 6 with OG 2.1 and TAC 1.2.

xjm’s picture

xjm
she/her
Primary language English
commented

Please see:
http://drupal.org/node/765832