Is this module intended to be used long term or it is a temporary fix? The download contains a patch for taxonomy.module which is rather dubious. It also only includes a .mysql but not a .pgsql file. I am hesitant to implement this module with it's new database requirements if the functionality is being considered for inclusion in the core in the future, even though it is needed now.

Comments

grantbow@civicspacelabs.org’s picture

Tangent, good questions.

This was the only module I found that provided true private forums. After I tried it I had to (unfortunately) disable it. A few things have improved since I tried it a few weeks ago. I also think that the security node access features might need to settle down a bit. It's hard to add security to any software product when it wasn't designed with advanced security in mind from the beginning. This module almost gives true private forum capability based on roles, an often requested feature.

I found that the node level security and these role based securities had strange interactions. I also found that despite limiting access to direct viewing, access via search and archives was still provided to supposedly private content.

This module seems like the right approach, but it needs some attention and care. I hope pyromanfo (taxonomy_access maintainer) and the core developers weigh in on this.

tangent’s picture

Providing security with a module is doomed to failure unless the module is well written (covering all access to content) and, even more importantly, maintained. This is why it needs to be in the core featureset.

Hopefully this isn't long in coming.

Steven’s picture

Drupal 4.5 was coded so that the access hooks are inside core, but the specific rules are module-controlled. The current system is watertight when it comes to content. As far as I know there are only side-effects such as people still being able to view disallowed taxonomy categories, just that they won't see the content in it.

Also, the plan /is/ to have at least one or two access modules in Drupal core in the future, however we will only do this when the modules have matured enough.

sulleleven’s picture

this module is working wonderfully for me. I dont have any other access/security modules installed.
i have not been able to slip into any restricted content... except as mentioned here, that query results list all items whether you have access or not...though you cannot open and view those node items.

so except for that caveat (easily fixable, but may result in slower queries), this thing purrs.

it should and likely will be drupaL core soon.

grantbow@civicspacelabs.org’s picture

Seeing the subjects is not water tight at all. Things like Search and Archive, anything that provides alternative access to content needs to be very sensitive to security settings. For now the most conservative approach is either a separate Drupal site for truly private content or not allowing any private content into Drupal at all. Any module that accesses the tables directly (not through an API) can easily break carefully laid security precautions. Adding security to a product relatively late in it's development life span is very non-trivial and will take much more work and testing.