Dear all,
I just made a fresh install of Drupal CVS, taxonomy_access CVS (TA) and organic group CVS (OG). The purpose was to test if TA and OG can work together. I first install OG witch works great and then TA. After the setup of TA, all my private posts with OG can be seen even for unregistrerd people witch wasn't the case before.
So :
1) am I missing something in my setup in order to have OG and TA working together ?
2) is it a known "feature" that OG can't work with TA and vice vers ça ?
3) should I fill a bug report, in OG, in TA, in the both ?
4) should we put in each README.txt something related to this known "feature" or "bug" ?
OG and TA are great works (BTW, many thanks to the authors) but it should be nice to have then work together.
Regards,
Eric
By ec on
Comments
Update
After some other tests, it seems that :
1) OG and TA need to be setup before any posting, otherwise private posts become public and one needs to re-set all permissions !
2) TA needs to be setup before OG otherwise one needs to re-run OG "initialize access control"
Hope this can help. Any other advise will be welcome.
Regards,
Eric
unlikely
drupal's node_acccess APi is not yet robust enough to handle multiple simultaneous permission modules. you really should fule a feature request for node.module, instead of either module.
if you are a drupal developer, you could comment out the proper lines and get the 2 modules to work together. but that is out of the reach of most drupal admins. i have not tried this, and won't work on it voluntarily for a while
Is this to say that I should not run the both TA and OG ?
Thanks for your answer. How do I understand you when writing "drupal's node_acccess APi is not yet robust enough to handle multiple simultaneous permission modules" ? Is this to say that I should not run the both TA and OG ? Or if set properly, i.e TA first and OG second, it could be OK ? BTW, I try OG with node_privacy_by_role and I could'nt have them running together. It's either OG or node_privacy :( !
eric
Security hole in TA
You should know that TA does not filter RSS feeds. That is, if the restricted post is, for example, a blog, then anyone who subscribes to the blog feed will see ALL of your posts, not just the ones that they have permissions for. It seems to be safe in preventing people from viewing restricted taxonomies, but any intermixed page (like the blog feed) will publish to RSS all posts.
--
mediagirl.org
Experimental code to solve this issue available
I have an experimental version of code that attempts to get multiple access control modules to play nice with each other. See http://drupal.org/node/24868. Feedback is greatly appreciated.
Thanks