Posted by stefan_seefeld on September 28, 2007 at 3:14pm
| Project: | Content Access |
| Version: | 7.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs work |
| Issue tags: | Usability |
Issue Summary
I'v just installed the content access module, and I really like it !
However, I find a little unintuitive (and insecure) the way per-node access control
is handled:
I would expect node authors to be offered access control forms on the node
creation page. However, it seems the expected work-flow is to 1) create a node
(with full access control as per the content-type-specific settings), and only then
2) change access control parameters.
Thus, there is some time between 1) (node creation) and 2) (node editing) where
access control is granted to everybody.
Am I missing something ?
THanks,
Stefan
Comments
#1
I was also thinking aboout nodeaccess.module
A user has to submit it first, then edit it and click `grant' tab
#2
Sorry the original title was changed
#3
hm, I don't use the module this way, but yes this might be not ideal for newly created nodes. Feel free to provide a patch, that improves that. :)
#4
Has anyone managed to add this functionality?
#5
this is a patch.
Notes:
-Only works with ACL 5.x-1.x-dev
-workflow-ng is not tested.
#6
#7
#8
has anybody tested this patch yet?
Unfortunately I'm using D6 so I'm unable to test it at the moment.
It would be an absolutely usability improvement if this feature could go into the content access core - even if only as an option.
#9
The patch works. It also works with the latest stable ACL module. I haven't tested the workflow-ng.
Does anyone know how to hide, disable, or filter the roles?
I've tried modifying the hook_form_alter so I can use '#disabled' for the checkboxes. It seems to me it uses checkboxes so I guess there is no attribute to disabling an option. If I try to disable a checkbox for a 'View', 'Edit', or 'Delete' column under Role Access Control, it disables all the checkboxes.
#10
Does this patch work with Drupal 6, with ACL 6.x-1.2 and Content Access 6.x-1.2 installed ?
I have another access control module installed for domain access control, and this shows options when I create new content, but the node access control is not shown and I have to edit the node after it has been created. As somebody mentioned earlier, this is not the best security because it means for a short moment the node is available to all users.
#11
I am working on this same problem at the moment.
The work around is to set the node to unpublished, set permissions and then set node to published - you can obviously set the general settings for the content type to be unpublished removing 1 of the above steps but it's not ideal.
I had a look at rules to see if you could redirect to the node/[node:nid]/access page so you were effectively setting the permissions straight away but this didn't work - maybe as the nid hadn't been created on form submit? any other ideas?
There is a module called:
http://drupal.org/project/subform_element
which seems to let you place a form within a form - that might be another work around.
Ideally it needs something like this in a hook_form_alter (taken from webform module):
<?php/* Start per-role submission control */
$form['webform']['role_control'] = array(
'#type' => 'fieldset',
'#title' => t('Webform access control'),
'#collapsible' => TRUE,
'#collapsed' => FALSE,
'#weight' => -3,
'#parents' => array('webform'),
'#description' => t('These permissions affect which roles can submit this webform. It does not prevent access to the webform page. If needing to prevent access to the webform page entirely, use a content access module such as <a href="http://drupal.org/project/taxonomy_access">Taxonomy Access</a> or <a href="http://drupal.org/project/node_privacy_byrole">Node Privacy by Role</a>.'),
'#access' => variable_get('webform_submission_access_control', 1),
);
$user_roles = user_roles();
$form['webform']['role_control']['roles'] = array(
'#default_value' => $node->webform['roles'],
'#options' => $user_roles,
'#type' => 'checkboxes',
'#title' => t('Roles that can submit this webform'),
'#description' => t('Uncheck all roles to prevent new submissions. The %authenticated role applies to any user signed into the site, regardless of other assigned roles.', array('%authenticated' => $user_roles[2])),
);
/* End per-role submission control */
?>
#12
Subscribing.
#13
changing to attract attention to version 6 and active because its not 2008 any more. To code because additional code is needed. To bug report, because it's a bug, not a feature, and priority to major, because if this is not major, then what is. Feel free to change back, but this looks like right issue settings.
Node form should have fieldset with roles checkboxes that may view node and that should be set WHILE node is created. Ill try to port patch to d6.
#14
#15
subscribe
#16
Tagging for next Usability round.
#17
I'm not sure this really makes sense. It would be overwhelming to include this information on the node/add page, IMO. If it is added definitely it should be optional.
That said, this is a feature request so priority should be "normal" since there are obviously many people happily using the module without this feature.