More finely-grained node permissions

Good suggestions! I think this setup would work nicely. It encompasses everything I can think of, and gives a lot of flexibility that the current system can't provide.

I don't think there needs to be any more distinction between acting on your own nodes or others'. Delete would be the only candidate in my opinion, but if you only have 'delete your own' permission, BUT your own node is editable by anyone, then you aren't really deleting your own. :) Ultimately, if a node is only editable by you, you can effectively delete it by entering no text. So I think "delete' should apply to all nodes.

I think this goes beyond the node privacy byrole module. The underlying node_access table that all such node-based access modules use only offers 3 grant modes: view, update, delete. This is part of drupal core and would have to change for all such node access modules from what I can tell. Many of the settings that you see are permissions as opposed to access rules (though access methods often call upon the permissions to calculate access rights, but this varies from one module to the next).

I agree with your proposal, however. I'm just now getting familiar with how the node access system works, but I see some limitations in the level of control that's available. One consideration, though is the amount of user interface required to support such features. I'm a huge advocate of the "advanced" tab where all of the non-default access options reside.

Just a warning about performance: I have a node table of roughly 11000 records and a node_access table of roughly 34000 records, with 4 possible user roles. My mysql slow-query-log is activated and pretty much all my slow queries (some running over 2 minutes!) are related to the multiple joins associated with this (useful!) module. I'm pretty sure adding more stuff to node_access would be a big hit on performance unless the SELECT queries are changed or perhaps split into multiple queries. Just my 2 cents. Other than that it sounds like a good idea.

Amen! I'm new here, so all I can tell you is that as new administrator, this reform would clear up a lot of the difficulties and confusions that I have. I am especially troubled by the fact that I can't separate the ability to edit a node from the ability to delete previous revisions of that node.

http://drupal.org/node/53772

i disagree with forngren's classification of this as duplicate with the (much newer, non-core issue) he linked to. i still think this proposal makes sense, and would like to see it in core. of course, we're actively working on turning core's default node types to be handled by CCK, and perhaps the issue forngren linked to will end up helping to resolve this. but, i still think there's goodness in here that should be considered, not ignored.

performance concerns aside (*ahem*) i'd rather see more fine grained permissions instead of dumping these together. i think the distintion of "edit own" and "edit others" is huge. i could see most site admins granting users nearly unlimited power to edit or delete their own content, but certainly not to edit all content on the site. i think "edit own" is crucial functionality which absolutely should stay separate from "edit all".

anyway, i hope some of these ideas find their way into core, either via CCK moving into core, and/or via separate patches.

thanks,
-derek

Drupal 5 now has much nicer node permission breakdowns via the mini-CCK features that were merged into Core.