Closed (duplicate)
Project:
Taxonomy Access Control
Version:
5.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
26 Apr 2007 at 16:23 UTC
Updated:
6 Apr 2010 at 13:29 UTC
Can someone please explain the functional difference between the settings for Ignore and Deny? Looking at the code, it seems that either one will be written to node_access as a zero (essentialy, Ignore).
Do I have this wrong?
Comments
Comment #1
bchoc commentedIgnore is "Deny unless overridden by Allow"
Deny is "Deny and override Allow."
(This is within the role.)
If you prefer, you can think of it as an order-of-execution situation: Ignore (Deny) is first, then Allow, then Deny. So if I node has an ignored tag it will be overriden by the later Allow, but the final Deny trumps both.
For example, if a node is tagged only with a term my role is set to Ignore, I will not see that node. If it's tagged with an Ignore term and an Allow term, then I will see it. However, if its got a Deny term and an Allow Term, I won't see it.
Does that clarify at all?
Comment #2
edrex commentedVery well put! Perhaps we could clarify the help text, which is already quite good, but somewhat vague on this point.
Comment #3
mandclu commentedMy point was that looking at the code, it seems that the module does the same in either case. Which would mean, in effect, that the two are equivalent, even though the names imply different things.
Comment #4
edrex commentedA value of 2 is stored in term_access for ignore. Check your database. Thanks for auditing.
Comment #5
mandclu commentedSorry if my limited understanding of the modules functioning is impeding my understanding but...
My original question was with regards to node_access, and I did check the database, and in both cases (ignore or deny) a zero was written to node_access.
As such, would a node_access call on a given node get back a different result between the two?
Comment #6
edrex commentedTry this:
You should find that anonymous CAN access test1, but cannot access test2, since deny overrides allow.
Comment #7
mandclu commentedAh, so it will work internally within the scope of taxonomy access, but the deny will not be able to prevent access that might be granted by other access modules.
Comment #8
edrex commentedRight, the current behavior is to only override locally.
Overriding other modules is possible by passing a higher 'priority' attribute to hook_node_access_records. This seems like a good idea, so let's change this to a ticket to implement that.
Not sure what values other modules are using for their priority values. Could someone interested in interoperability with a specific other node access module take on this research task?
Comment #9
edrex commentedComment #10
edrex commentedI have thought about introducing a "weight" field on each access rule in 5.x-2.x-dev. This weight would go straight into the node_access "priority" field, allowing specific TAC rules to override each other and also rules from other modules. We could then eliminate "Ignore", since it's really just a low-priority deny.
Just ideas. Maybe in 3.x-dev :)
Comment #11
xjmMarking as duplicate of #695376: How give term-based Taxonomy Access Control VIEW DENY over type-based Content Access VIEW ALLOW.
Comment #12
webel commented@edrex years later
Well I certainly did check (‘audited’), and TAC setting (I)gnore writes a 0, not a 2.
(I)gnore = 0, (A)llow = 1, (D)eny = 2
This could be included in the main documentation for this module, too.
Comment #13
webel commentedFor anybody interested in this thread (I realise it is duplicated) please read and consider the README.txt from another access module _Content Access_:
And from the README.txt of another access module _Book Access_:
I am not quoting them to claim they are accurate when applied to TAC, rather I want to unify such remarks across all core and contributed Drupal access modules.