Is it smart to define a lot of roles, and a lot of 'content types'?
I would like to discuss a case where I build a site that has '1 webmaster per country'. It must be guaranteed that the webmaster of country A cannot add, delete, modify the pages of the webmaster of country B (this is a customer requirement).
The mechanism I apply is to make sure A cannot add, modify, delete pages of B is:
- I create one 'content type' per country for which I have a webmaster.
e.g. pageFromDenmark, pageFromBelgium,...
- I create one role for each country where there is a webmaster:
e.g. webmDenmerk, webmBelgium,...
- in the 'user management /admin/user/permissions pages, I make sure that the webmaster with
role A can only edit, modify, delete the pages for his own country.
E.g. webmDenmerk can modify, edit, delete pageFromDenmark.
So, my questions are:
============
- Is this a great idea, or a stupid one for which there is a more simple alternative?
- Will this mechanism work with >300 country-based webmasters, and consequently >300 roles and >300 'content types'?
Surfing to admin/user/permissions will become a nightmare...
- Will I not get stuck as a result of creating too many roles, and too many 'content types', too slow a performance a result?
menus
and I have not really a solution for the menus in the above case. Everyone can edit everyone's menus...
i'm also interested
in what people have to say about this!
You shouldn't give them
You shouldn't give them permissions to modify menus or blocks, except if you make it a multisite with separate menus and blocks in the database.
You could create a conditional menu block for them using some php to produce, for example, "node/add/$country-nodetype" links according to their role.
Organic Groups?
It seems to me that organic groups would fit the description set above. I don't know though if it would handle 300 different groups...
It probably
It probably would.
http://groups.drupal.org/ has 518 groups with 50,000 subscribers at this moment.
About the roles/content type solution, there is nothing fundamentally wrong with it. You can't avoid the 300 roles, except if you use a module which assigns permissions to users individually (which I am not sure you want to do).
You can avoid the 300 content types by using 300 categories and some contributed module, but content type permissions are more bulletproof (less likely to break or misconfigure). I am saying this from experience in the support forums. On the other hand, taxonomy is more flexible, and you could give to all of them a few different node types to choose from, making every country section more flexible.
If each of the content types
If each of the content types are basically the same except for being assigned to diff countries. You might want to look at TAC Taxonomy access control to restrict access. You could have a vocabulary called country and put each country name in it and then use that taxonomy entry to control access
http://drupal.org/project/taxonomy_access
http://drupal.org/project/tac_lite
http://chasesagum.com/how-to-use-the-tac-module-for-drupal
http://www.lullabot.com/articles/private_forums_in_drupal_forum_access_v...
-------------------
http://www.PrivacyDigest.com/ News from the Privacy Front (Drupal)
http://www.SunflowerChildren.org/ Helping children around the world ( Drupal)
TAC vs working with roles and content types
First of all, thanks to all tips!
It took me a while to digest all the info, but I conclude that even in case I use the Taxonomy Access Control module the above mentioned >300 roles must be created (one term will then be assigned to one role). In that case, I think I'll go for the solution where I create one role + one content type per country (I'm less afraid of having >300 content types than of having > 300 roles).
Still... something doesn't
Still... something doesn't feel right with all those roles because you have only one webmaster per country. It is ugly. The stumbling block here is the "create" permission, which can be assigned only per role and per content type...
(Just talking to myself here) To allow the users to "create" in a private space, you need
- either to give each user a content type... No existing module assigns content types to individual users,
- or give them only one shared content type and different sets of categories to tag their posts... No existing module assigns categories to individual users.
Maybe presenting all the content everywhere through views by author... No, it seems more economic but it is restrictive and in the end all those views will have a cost.
If anyone has any different idea to avoid the hundreds of single-user-roles but to keep the ability to "create" separate content, I am curious.
----------
Maybe it is possible to make the idea of regional sites using views by author more realistic, with some module such as http://drupal.org/project/domain or even pathauto + http://drupal.org/project/subdomain, by placing the user content in subdomains.
I only know a few things about the first of these modules. It is essentially an access control module working on a single Drupal site accessible from many subdomains, and makes the content created on one subdomain visible only by browsing to that subdomain. And the subdomains can be user names presented as country names.
User Force Term?
http://drupal.org/project/user_force_term
From what I can make out, this module can force a particular term for each user. Seems relevant.
Maybe using this there can be one content type which has a forced (different) term for each user?
AND Content Access
And use Content Access module to restrict editing only to the author of each node.
This doesn't seem necessary.
This doesn't seem necessary. "Edit own" exists in core. The content access module would be useful in case we wanted "view own", which core doesn't have.
Very handy. So, there can be
Very handy. So, there can be only one content type, whatever a country-user creates gets tagged automatically with a country, and the only thing left is to set up how to present these country categories separately in the country sites.
I see that the modules needs a D6 version.
------------
I was going through the modules and I saw several kinds of autotagging modules, some active and some semi-abandoned.
There is "taxonomy_defaults" which auto-assigns a predefined term, there is "autotag" which auto-assigns terms found in the content, there is "nat" which creates and assigns a term specific to the node, there is "bats" which assigns a term based on the parent page in a book, and of course "user_force_term" already mentioned.
In some of them this function is a part of doing something else. But things seem ripe and, although I am no oracle, someone is bound to come up with a clean token-based autotagging module soon.
Then the summary is
Then the summary is http://drupal.org/project/user_force_term + Taxonomy Access Module can do the job.
But, not yet for D6 because user_force_term does not exist yet, and TAC is still in dev.
Therefore, D6 users can do as I propose: one 'content type' per country and one role per country. And, doing so, who knows that country A C all of a sudden wants two or three users to work on their country website, I will just assign the same role to them and they will be fine.
P.s. I hope D7 is not lauched to quickly, there is soooooo much work left on D6...