Taxonomy_access: Restrict user roles to access specific categories only
Allows the user administrator to control access to nodes indirectly, by controlling which roles can access which categories. http://drupal.org/project/taxonomy_access
Permissions can be set differently to each USER ROLES. Be aware that setting Taxonomy Access permissions works ONLY WITHIN ONE USER ROLE.
(For users with multiple user roles, see section "GOOD TO KNOW" below.)
On the category permissions page for each role, each category (vocabulary) displays a list of the terms within it, each with five types of permission: View, Update, Delete, Create and List:
- VIEW enables the user to access content (nodes) with given term.
- UPDATE, DELETE enables the user to Update/Delete ALL nodes with the given term.
(These two permissions are administrator permissions, that should be given ONLY to e.g. content administrators.) - CREATE enables the user to set that term when adding a new node or when editing a node.
- LIST enables the user to view the name of the given term below the title of a node or in category lists. It also controls whether a user can access the taxonomy page for the given term. (e.g. "taxonomy/term/*")
VIEW, UPDATE, and DELETE control the node access system. LIST and CREATE control if a user can view and select a given term. (Note: In previous versions of Taxonomy Access Control, there was no LIST permission; its functionality was controlled by the VIEW permission.)
VIEW, UPDATE and DELETE have three options for each term: Allow, Ignore, and Deny. Indicate which rights each role should have for each term.
CREATE and LIST have only two options for each term: YES (selected) or NO (deselected). Indicate what each role should be allowed to do with each term.
IMPORTANT NOTE:
The DENY directives are processed after the ALLOW directives. (DENY overrides ALLOW.) So, if a multicategory node is in Categories "A" and "B" and a user has ALLOW permissions for VIEW in Category "A" and DENY permissions for VIEW in Category "B", then the user will NOT be permitted to VIEW the node. (DENY overrides ALLOW.)
Access is denied by default. So, if a multicategory node is in Categories "C" and "D" and a user has IGNORE permissions for VIEW in both Category "C" and "D", then the user will NOT be permitted to VIEW the node.
(If you are familiar with Apache mod_access, this permission system works similar to directive: ORDER ALLOW, DENY)
Allow/Ignore/Deny All or Select/Deselect All:
Beside each vocabulary title there are dropdowns containing the options that can be set for individual terms. Selecting one of these options using the dropdown effectively selects that option for ALL of the individual terms inside that vocabulary when the options are saved.
Selecting "--" does not make any automatic changes to the permission of the terms in that vocabulary; only manual changes that you make will be saved.
NOTE: This does not change the "Default" option (described below).
Default:
This option, just underneath the vocabulary title, sets the permission that will automatically be given to the role, for any new terms that are added within the vocabulary. This includes terms that are added via free tagging.
GOOD TO KNOW:
Users with multiple user roles: Allow/Ignore/Deny options are interpreted only within one user role. When a user belongs to multiple user roles, then user gets access if ANY of his user roles has the access granted.
In this case, permissions for the given user are calculated, so that the permissions of ALL of his user roles are "OR-ed" together. Meaning that Allow will take precedence over Deny. This is different from how node access permissions (for multi-category nodes) are handled within ONE USER ROLE, as noted above.
Input formats: Node editing/deleting is blocked, even when user has UPDATE/DELETE permission to the node, when user is not allowed to use a filter format that the node was saved at.
taxonomy access by category
Is there a way to control access to a taxonomy category and its nodes using roles but restricting them in the taxonomy, not in the roles? I mean restricting the category to gran specific access levels to specific role
taxonomy_access-6.x-1.x-dev working?
I've loaded the taxonomy_access-6.x-1.x-dev version of the TAC, created a couple of test accounts with unique roles (TestMember, TestClient), created a TAC vocabulary with categories (Member, Client), limited the Grants for these Categories to the accessRoles defined, and then tagged test Content Nodes with these Categories. I can still access the tagged Nodes using a regular Authenticated account. Am I missing anything or is this "dev" status module not working? I also rebuilt the Permissions under Admin|Content management|Post settings resulting in no change to the symptom.
OK, here is the resolution. The Authenticated role must be explicitly set to Deny access to the Categories (Member, Client) to prevent access.
I don't understand why this
I don't understand why this isn't working for me.
I created a vocab called "vocab test". I added terms Term 1, Term 2, Term 3.
In the TAC I clicked *default* right under vocab test added it and set everything to D. I left the create and list unclicked. I "saved all" and a non-logged in user can still see that story/page type.
Is there more documentation on getting this to work anywhere?
Thank you
Also having problems
Color me confused too. My goal: Have a term "locked" that will prevent modifications to a node by anyone non-admin. (I.e. not user #1)
- Created Taxonomy Vocabulary "Node Status"
- Added Term "Locked"
- In TAC, modified permissions for "Authenticated User"
- Under "Node Status" category, term "Locked", set restrictions to: View - Allow, Update - Disallow, Delete - Disallow, Create - No, List - No
However, this results in authenticated user still being able to edit the content of nodes with the "Locked" term. :(
(The only change is that the authenticated user is not allowed to change the "Note Status" terms.)
If I change the "View" permission to "Deny", this does prevent the authenticated users from seeing the Locked nodes.
Can someone give some step-by-step examples of successfully using this module? Perhaps I (and others) have the wrong idea of what it can do or how it works.
Follow-up
I came close to my desired outcome of using a taxonomy term to make a node read-only. In hopes of helping others, here are some tips I picked up.
I've given up on using this module for now an am creating a separate content type that I can set permissions on. This solution is not ideal, as it will create complications when I need to add CCK fields later. :(
How I've been using the module successfully
I've been very successful with this module. There are areas of our website which can only be viewed by certain types of roles (for example, dancers or parents of children in performances.) There are also areas that can only be edited by certain roles. I have this all working perfectly (at least for what I need it to do!)
This is what I did:
1. I created a new vocabulary for different types of Page Nodes. I called mine "Page Content Category."
2. Then I created terms for this new vocabulary. For example, "Parent," "Dancer," "News," etc.
3. When I create a new page node I choose a term from the drop down that pertains to that node's content (ie, "Dancer" for the page content that will only be seen by the role "Dancer").
4. I created roles that for visitors either viewing or editing pages, such as "Parent" and "Parent Admin" and gave the roles appropriate permissions in Admin > User Management > Permissions.
5. I went to Admin > User Management> Taxonomy Access Permissions and enabled the permissions for each of my roles. This part can be very laborious especially if you have a lot of different types of content you want to control via taxonomy. You will need to enable permissions for each and every role and for each and every term that you want to be affected by taxonomy permissions
6. For those roles who are not allowed to see any content related to a certain taxonomy term, I added that term via the drop down and set the View, Update and Delete permissions to "D." For the roles who can read but not edit the content, I set the permissions to A for View and D for the rest, and for those roles who can view, update and delete the content, I set all their permissions to A. I left the default settings as is in all cases.
7. I made sure that in Admin > Settings > Filters the roles that can edit content are able to use the same input format as the format used to create the node in the first place. This really messed me up at first. I created the content using Full HTML and I wanted the editors to only use Filtered HTML, but that blocked the editors form making edits. So all my editors are now using Full HTML. Note to module creator: I would to be able to control what input format my editors are using!
Anyway, that's it!
Good luck!
It works for me...
But only after many hours of trial and error! The settings are complex in the way they interact, and not intuitively obvious. But the module definitely works as advertised. I'm using "6.x-1.0", released (I think) June 11, 2009. Prior version(s) worked fine for me as well.
My advice, instead of setting up "realistic" test scenarios as described above (multiple taxonomies & terms):
Pretty soon, the settings table actually began to make sense :-) In fact, when taking notes on their effects, I realized I was just re-creating the settings table...
Documentation
You need to improve your documentation. Perhaps defining what the A I D letters mean on the editing page (like with a map key._ As well as clearly stating what they all do rather then referencing Apache, and that "they just work like that." It does not count as documentation to mention that. A simply list here or on a little help pop-up in the module would be hugely useful. Just list each term and a description as to what it does. Reading the above page does not tell me how the ignore option behaves.
I like open source projects, but I hate allot of the documentation.
Another thing, you might want to include a key for when editing permission that defines what everything at least means. Just listing A I D Create List is too vague.
Thank you for tolerating my rant. Thank you for an otherwise fine module.
yes
I've looked at the Apache documentation and they have Order, Allow Deny. What is Ignore? What does it do? I can't find this information. I'm trying to fix an application put together by someone else and would be ecstatic if I could find out just what is going on with these permissions. Allow and Deny seem pretty straight forward but Ignore has me lost. Yet it is the most checked option in the application I'm dealing with.
what is the answer?
how is ignore different than deny?