Do not hijack the 'all' realm
salvis - March 26, 2008 - 22:34
| Project: | Content Access |
| Version: | 5.x-1.3 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
Description
If the administrator grants View access to anonymous and authenticated users, CA creates a grant in the 'all' realm, as core does for nodes that receive no grants whatsoever. In the presence of other grants, however, this is most confusing.
The cooperative architecture of Drupal's node access mechanism relies on the contract that every module supplies its grants under one or more realms of its own, and the 'all' realm belongs to core.
#1
It seems to me that this behavior of Content Access module is the reason why my forum access control broke after I updated Content Access and Forum Access modules.
See http://drupal.org/node/215563#comment-807818
Are there any workarounds for this issue?
BR,
Markus
#2
Just to let you know that I found a workaround for my problem.
See http://drupal.org/node/215563#comment-809915
-Markus
#3
Is this really causing any problems? This linked problem seems to be fixed.
Re-using the existing 'all' realm avoids complicating the query - so it speeds up things a bit.
#4
#5
The linked problem is fixed by FA specifically checking for CA and informing the user that he should not try to use CA on forum topics at the same time as FA. This should help FA users, but it doesn't solve the general problem, which is that people don't have a chance to understand what is happening when they see an "all" grant.
How does a NID/all/0/100 grant speed things up over a NID/content_access_all/0/100 grant?
#6
the query just needs to queck for 'all' and not also for 'content_access_all'.
>fixed by FA specifically checking for CA and informing the user that he should not try to use CA on forum topics
hm, reaming it wouldn't change here anything or? Users never see the realms anyway.
#7
Without devel_node_access it's impossible to find out what's happening, and with DNA you see the realms — except if a module like CA masquerades, then you still can't find out what's happening. At least the users can't. Not showing your face results in confusion and unnecessary support issues. This will be a nightmare for FA, when you port CA to D6, because D6 forums can contain all sorts of content types, so CA will constantly be interfering with FA.
This is neglegible in most cases. Depending on how many roles you have, there are 10, 20, 30, or more realm/gid pairs to check. One more or less doesn't make any difference. Look at the debug output of DNA. For example, not creating an empty unused ACL record (plus three {acl_user} records each) for each node would make much more of a difference...
#8
ok, you have convinced me. However I don't think it's a good idea to change this in 5.x - as we would need to rebuild the whole node access and we know what troubles this can cause for users of big sites...
So I'd suggest we fix this in 6.x?
#9
Great. Yes, I agree that it's not worth the risk for D5, but with D6, rebuilding permissions is not an issue, and node access can be a lot more complex.
So, yes, please do fix it for D6 — thanks in advance!