Home » Site Building Guide » Contributed modules » Comparisons of contributed modules

Overview of Node Access modules

Last modified: September 18, 2009 - 07:25

Drupal's API contains a pretty good description of how node access works (developers should also analyze the node_access function itself). There are many contributed node access control modules for Drupal and you really should understand the basics of node access before installing and configuring one. The API should suffice for developers but for the benefit of our many community members who build sites without reading code, here is a translation and some basic rules of thumb:

  • In general, you don't want to use more than one node access module on your site. There are many node access modules to choose from: taxonomy access, nodeaccess, simple access, workflow access, etc. We all tend to add lots of modules to our sites and to expect them to play well together, but node access is an area where we need to be extra thoughtful.
  • Users with permission to 'administer nodes' are never restricted by node access modules. Users who do not have permission to 'access content' will never gain access from a node access module. Only users who have 'access content' and not 'administer nodes' are eligible for the wild world of node access module control.
  • If a user's role has permission to create or edit a content type, or to edit their own posts in that content type, that ability will always be allowed regardless of your node access module's configuration. Delete access is included in the 'edit' permission. If you want to control creating, editing, or deleting of your nodes with a node access module, be sure to not give your users these permissions in the permissions table.
  • If your content type comes from an additional module (forum, event, etc.) other than cck, it may have its own permissions to set. Giving a role these permissions will also supersede the use of any node access module.
  • Node access modules always GRANT access and never restrict it. (It is a whitelisting rather a blacklisting system.) If you use two node access modules and one grants access while another does not, access is granted. One exception is the Module Grants module through which it is possible to combine access grants across multiple modules in a more intuitive way. Without it the displayed behaviour may appear backwards from what most people would assume and it's the reason why it is tricky to get involved with multiple node access modules. It is possible to use multiple node access modules in harmony however if for example they are applied to different content types or are giving out different grant types.
  • The four types of possible grants on a node are: view, update, create, and delete. You can use Devel module's devel_node_access to analyze a node's node access grants. (Doing so as a non-developer is a good sign that you've gotten into trouble with your node access modules and may need to follow the above advice!)
  • The node access table in the database can become confused if you have, for example, toyed with multiple node access modules or come into contact with a deranged one. If you have been involved with risky node access behaviors you should rebuild your permissions. You can find this option at admin/content/node-settings which is the 'Post Settings' configuration screen. It is rarely necessary.

Access modules

Security Modules lists some access modules and http://drupal.org/taxonomy/term/69 lists every module with the security tag.

Taxonomy based

Use these modules to control access based on those tags, vocabularies, and terms you already use, if you use them. Classification, taxonomy and tagging modules lists modules to help you classify and tag content.

Taxonomy Access Control

Access control for user roles based on taxonomy categories (vocabulary, terms).

Connect roles to terms. Useful if everyone has the right role. A good way to control a lot of people when they slot easily into a few roles.

Taxonomy Access Control Lite

This module restricts access so that some users may view content that is hidden from others. A simple scheme based on taxonomy, roles and users controls which content is hidden.

Take the Taxonomy Access Control role based access and add user based controls. Lets you assign users to roles and give the roles access to nodes by term but then lets you give special access to those annoying management types who refuse to wait while you create a new role. Also gives you a quick way to let contractors and temps grab quick access to resources. You know the situation. Hey it is seven minutes before your contract runs out. Rearrange the CRM system to include images the same as Facebook. I will give you access to the 398 nodes you have to change. Fix all the spelling mistakes while you are at it.

» Login or register to post comments

Not to be rude, but this page

SerenityNow - June 5, 2009 - 04:00

Not to be rude, but this page should maybe be retitled 'Overview of Node Access Modules' since it doesn't actually compare the existing modules or even list which ones are available...

The ones that I am aware of are:
*Content Access http://drupal.org/project/content_access
*Node Access http://drupal.org/project/node_access
*Taxonomy Access http://drupal.org/project/taxonomy_access

and there are probably others. I would tell what I know about how they compare, but I just installed Drupal and am trying to see what the differences are myself (which is how I got to this page)

Login or register to post comments

You're right. It seems like

danielb - June 8, 2009 - 01:05

You're right. It seems like more of a guide to figuring this info out yourself, and I'm not sure it gives you all the knowledge you need. I have a fair amount of familiarity and experience with these sorts of modules, so I could contribute a more specific writeup some time. The problem is these modules are many and new ones keep popping up, so it would have to get updated every few months.

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.