Can someone please explain the functional difference between the settings for Ignore and Deny? Looking at the code, it seems that either one will be written to node_access as a zero (essentialy, Ignore).

Do I have this wrong?

Comments

bchoc’s picture

Ignore is "Deny unless overridden by Allow"
Deny is "Deny and override Allow."

(This is within the role.)

If you prefer, you can think of it as an order-of-execution situation: Ignore (Deny) is first, then Allow, then Deny. So if I node has an ignored tag it will be overriden by the later Allow, but the final Deny trumps both.

For example, if a node is tagged only with a term my role is set to Ignore, I will not see that node. If it's tagged with an Ignore term and an Allow term, then I will see it. However, if its got a Deny term and an Allow Term, I won't see it.

Does that clarify at all?

edrex’s picture

Very well put! Perhaps we could clarify the help text, which is already quite good, but somewhat vague on this point.

mandclu’s picture

My point was that looking at the code, it seems that the module does the same in either case. Which would mean, in effect, that the two are equivalent, even though the names imply different things.

edrex’s picture

A value of 2 is stored in term_access for ignore. Check your database. Thanks for auditing.

mandclu’s picture

Sorry if my limited understanding of the modules functioning is impeding my understanding but...

My original question was with regards to node_access, and I did check the database, and in both cases (ignore or deny) a zero was written to node_access.

As such, would a node_access call on a given node get back a different result between the two?

edrex’s picture

Try this:

  • create three terms: allow, ignore, deny, and grant anonymous user allow, ignore, and deny perms for each respectively
  • Create one node test1 in allow and ignore (both) and one test2 in allow and deny (both).

You should find that anonymous CAN access test1, but cannot access test2, since deny overrides allow.

mandclu’s picture

Ah, so it will work internally within the scope of taxonomy access, but the deny will not be able to prevent access that might be granted by other access modules.

edrex’s picture

Title: Difference Between Ignore and Deny? » Make Deny override other access modules

Right, the current behavior is to only override locally.

Overriding other modules is possible by passing a higher 'priority' attribute to hook_node_access_records. This seems like a good idea, so let's change this to a ticket to implement that.

Not sure what values other modules are using for their priority values. Could someone interested in interoperability with a specific other node access module take on this research task?

edrex’s picture

Title: Make Deny override other access modules » Let "deny" override other access modules
Version: 5.x-1.0 » 5.x-1.x-dev
Component: Documentation » Code
Category: support » task
edrex’s picture

I have thought about introducing a "weight" field on each access rule in 5.x-2.x-dev. This weight would go straight into the node_access "priority" field, allowing specific TAC rules to override each other and also rules from other modules. We could then eliminate "Ignore", since it's really just a low-priority deny.

Just ideas. Maybe in 3.x-dev :)

xjm’s picture

webel’s picture

@edrex years later

Well I certainly did check (‘audited’), and TAC setting (I)gnore writes a 0, not a 2.

(I)gnore = 0, (A)llow = 1, (D)eny = 2

This could be included in the main documentation for this module, too.

webel’s picture

For anybody interested in this thread (I realise it is duplicated) please read and consider the README.txt from another access module _Content Access_:

Running multiple node access modules on a site (Advanced!)
-----------------------------------------------------------
A drupal node access module can only grant access to content nodes, but not deny it. So if you are using multiple node access modules, access will be granted to a node as soon as one of the module grants access to it. However you can influence the behaviour by changing the priority of the content access module as drupal applies *only* the grants with the highest priority. So if content access has the highest priority *alone*, only its grants will be applied. By default node access modules use priority 0.

And from the README.txt of another access module _Book Access_:

Certain access control modules can impact functionality of this module. Broad reaching modules such as "taxonomy access" and "content access" can override the values set in the Book Access Settings page. You must turn off all enabled access controls in such modules.

To be clear, if you are using additional access control modules, be certain that none of them are allowing access to book nodes. The simplest way to do this is to limit the types of pages that a book may contain to a single node type (such as "book page") and unset any access grants provided by other modules on that node type's configuration page.

I am not quoting them to claim they are accurate when applied to TAC, rather I want to unify such remarks across all core and contributed Drupal access modules.