By kpm on

I am finding it challenging to implement Access Control within a specific content type.

The goal is a library of Books with various restricted read write permissions for various Roles. For instance, the IT department should have a book in which users belonging to the Role "IT" can document procedures or knowledge on the fly, but all other Roles in the organization should have neither read nor write permissions for that specific Book. Each department and or project within the organization should have the ability to maintain a Book that is unique and of interest only to that department or project. There will also be Books which all roles within the organization would have read permissions and a few roles with write permissions. Unfortunately, Access Control is all of nothing for a specific content type.

I have attempted this with the Content Access module and the Nodeaccess module but have not had any luck. The Content Access module will, restrict access to content type, but not specific nodes that are of that content type. So I tried the Nodeaccess module, but I can't seem to get anywhere with it. I have granted the manager role full permissions to node access but am unable to find any kind of controls that would allow me to restrict or grant access. I will post a support request on the nodeaccess page... but the purpose of this post is not to debug my nodeaccess or access control settings or (lack there of), but to ask for advice. What are others doing to achieve this. I assumed Drupal could handle this type of granularity in a bit more user friendly way.

I suspect most people are using the Taxonomy modulesto achieve this level of access control, and that will be my next attempt. But I was wondering if it was possible to simply copy, or mimic the Book content type and then use the Content Access module to get the kind of granularity I am after. So, if I could create content types called, for example, "IT Book", or "Department A Book", "Department B Book", "Project 1 Book", "Project 2 Book", etc. Then I could simply use the standard Access Control to restrict Roles by content type.

Is this crazy talk and I should just get on with implementing a taxony? Or can something like this be done?

Thanks

Since Access Control can be utilized via Roles, and Roles are tied to Content Types

Categories: Drupal 5.x

Comments

kpm’s picture

kpm commented

forgot to delete it....

VM’s picture

VM commented

yes the book.module can be duplicated, however....... you will need to change the name of the module itself, and every function in the module so that it and the original do not clash. see: http://drupal.org/node/102446 for handbook page that describes this in much more detail.

you could also create your own content type by writing a module (check out the handbooks under modules developers guide) which would give you more options if you wanted them.

or investigate the CCK.module which may be of benfit here as well.

gollyg’s picture

gollyg commented

unless i am missing something here (which is quite probable) the taxonomy access module will give you all of this control.

It does not make sense to create essentially five versions of the same content type just to implement access control. Simply install taxonomy access, create a vocabulary that applies to your book content type, and then configure access control on a per role basis.

For each book assign it one (or multiple) terms from the vocabulary such as IT etc and then the access control will be applied as per settings.

cboshuizen’s picture

cboshuizen commented

Using Taxonomy Access Control is the best way to enforce security for nodes of the same type (book) with different usages (described by categories).

However, drupal still lacks a good solution for restricting access to different content types. For example, if I have a CCK type 'News' and another 'Internal Memo' there is no good way to make sure every page of type internal memo is not visible to the public. Using TAC means that I have to assign the right category every time I make a new page of this type. There are work arounds, like creating taxonomies with only one category, but they are very flawed.

Two ways forward are to add "View content type XXX" to the core Access Control settings page for each content type or through the CCK module, or for TAC to expand its uncategorised node setting to have one setting per content type (Uncategorised nodes of type X, Uncategorised nodes of type Y).

gollyg’s picture

gollyg commented

I think this is becoming even more significant with the ability to create content types so easily - it is becoming such a common need.

I am finding I am using content types for all sorts of things. I actually feel that, as well as an easy way to control access to view specific node types (probably configured from the content type page), there should also be control over whether or not the content type provides a page view. This would make it possible to use content types to add small chunks of content, such as list elements, without the full page view.

im off to the feature request page before the code freeze....

cboshuizen’s picture

cboshuizen commented

im off to the feature request page before the code freeze....

Thank you!

twohills’s picture

twohills commented

I too thought this was hard, until i installed Node Access.

Go to admin/user/nodeaccess, set the permissions for the selected node type, and you're done! it's a doddle. Don't turn on the grants tab and you won't have per-node access. Nice and simple.

now if I can just get it to allow teaser views but deny full node views....

smscotten’s picture

smscotten commented

I found this thread because I'm looking for a way to deny both teaser and full node views. Using the Content Access module I've so far been only able to deny the node. What I want not to show up I want not to show up at all! So I have the opposite problem as you. I think I'll try Node Access.

Thanks!

twohills’s picture

twohills commented

You have a problem with taxonomy access because, as you say, you have to remember to select the correct taxonomy type for each PAGE OF THE BOOK. No access module I know of will inheret the access rules of the root parent page of the book. This also means that you have to trust (or check) every page added by others.

i'd go so far as to say forget Book. create special node types and run a single node of each type as a wiki-style page that everyone of a selected role can edit (and Node Access does a simple job of limiting access by node type)

or consider using a wiki module...