Controlling node access rights for Announcements using node privacy by role
| Project: | Announcements |
| Version: | 6.x-1.1 |
| Component: | User interface |
| Category: | support request |
| Priority: | normal |
| Assigned: | NancyDru |
| Status: | closed |
I am using node privacy by role to grant access permission to content by user role. I may have some announcements, for example, that only pertain to users of a given role. And I want to hide all internal announcements from anonymous users. This approach has worked well with all of the other content types that I use, but not announcements.
The 6.x-1.1 version of announcements allows anyone with access_content permission to view announcements, regardless of the grants established in the node access tables. As I understand it, this happens because announcements_access() intervenes, returning true for view access provided the user has access_content permission (see http://api.drupal.org/api/group/node_access/6).
There are probably good reasons for doing this, but this was too coarse for my application. To allow node privacy to control access, I revised the announcements_access() function and added a call to node_access() in the theme_announcements_block_list() function to make sure the user had permission (i.e. the proper role) to view the announcement.
With these changes, announcements seems to work well with node privacy by role - the user only sees announcements intended for their role in both the recent announcements block and on the announcements page.
I've attached a patch in case there is any interest in this.
| Attachment | Size |
|---|---|
| announcements.module.diff | 2.29 KB |
#1
Thank you. I had a common misconception about hook_access, which you have now shown me to be wrong. However, reading again the docs you reference, I read it that adding a call to node_access is not correct either. The docs say to use db_rewrite_sql, which indeed was missing from the block display. I have added that. Since I do not have a complicated access set up, I would appreciate your testing this (-dev release) thoroughly. If it is now correct, I have a bunch of modules to update.
BTW, I also noted that the permissions needed an "S" on the end, so I did that. I also added an "access announcements" permission, which has recently been requested on several other modules. This is going to cause some heartburn, so, again, your testing is very important.
Thanks.
#2
Thanks. I also read about using db_rewrite_sql but then forgot to go back and fix my node_access() call - interesting that both work. I also like the new "access announcements" permission. It parallels many other modules and adds an appropriate level of control (just one more row of check boxes on the permissions page...).
I've only had a little time to test the new 6.x-dev release, but so far it works great without any problems. Here is a summary:
I created test announcements using node privacy settings to allow anonymous to view a subset of the active announcements. Anonymous could view the content (knowing the direct URL), but couldn't get to it from the announcements page (access denied) until I gave "access announcements" permission. With this permission, the page shows only the appropriate announcements for anonymous - all announcements for other roles are hidden. So this works just as I would expect it to.
I also had users of different roles create (and delete) announcements and everything has worked as expected. Users can see announcements they created, and those intended for their role.
The block list also shows only the appropriate titles etc. , so the db_rewrite_sql seems fine.
If I find any problems, I'll report back. Thanks again, this is a great improvement!
(BTW. I also appreciate the sort order options for displaying announcements on both the block and the page - works great.)
#3
Great. Thanks for the update.
#4
Nancy,
You marked this bug as fixed, but I cannot find the fix in the CVS nor the most current package.
This is the same as my issue, but this fix is definitively better. 8-)
http://drupal.org/node/316958
Could we have this patch applied and a new version generated?
Thank you.
Alexis
#5
Nancy,
Okay, there seems to be at least one more place where you are missing an access check. It could also be missing within the pager and the taxonomy functions. I've been trying to see how to get the taxonomy to pop-up. So far I have not got anything. But if $delta is 1, then you get a list of any one announcements, accessible or not.
Thank you.
Alexis
#6
http://drupal.org/cvs?commit=143012 It will be in the -dev version. When a fix is committed it rolls into a -dev version around Noon and Midnight GMT that day. I do not roll out official releases very often because those who use Update Status will get emails or flags on their sites telling them to upgrade. If this is done too often, they complain. Using -dev releases allows others to test the fixes and make sure they work.
#7
Nancy,
Thank you for the note. I guess I should look at the latest -dev more often. Isn't the code going the HEAD of the CVS? Because that should be up to date immediately, right?
Thank you.
Alexis
#8
I don't use HEAD at all, so I have no idea what is in there. I use DRUPAL-5 and DRUPAL-6--1 branches.
However, it's a bit strange, when I went to my code, CVS still has those lines marked as different from the repository, so now I have to go figure out why and what I committed.
#9
The "db_rewrite_sql()" should already have been limited to those nodes for which access is granted.
#10
Okay, I checked out DRUPAL-6--1 and I also don't see the differences. 8-)
I wonder whether the HEAD is auto-generated from the tags (and thus updated only once every 12 hours.)
Thank you.
Akexis
#11
It is there now. Fix committed on both branches.
--project followup subject--
Automatically closed -- issue fixed for two weeks with no activity.
#12
Automatically closed -- issue fixed for two weeks with no activity.