Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By dreftymac on
I know there has to be something like this out there somewhere, but I have not found it.
The question is, how do Drupal permissions work when they are applied to more than one user role, and a given user X is a member of more than one role.
Are Drupal permissions transitive?
Does the user X get the least-privilege permission for every role he is in?
Does the ADMIN account lose privileges if it is included in a role with lesser permissions?
Is there a diagram or schematic or plain-english document or node that details these boring miscellany about permissions?
TIA
Comments
=-=
yes
no
you can start with the
you can start with the handbook, though it doesn't answer all your questions:
http://drupal.org/getting-started/6/admin/user
this video is really good:
http://gotdrupal.com/videos/understanding-drupal-permissions
Hey mark12b, Thanks for the
Hey mark12b,
Thanks for the links. That video was exactly what I was looking for.
On a side-note, I notice the subtitle of the video is called "Navigating the checkbox maze" ...
Have you (or anyone else) found a clean and efficient way to turn on and off whole groups of checkboxes at once?
The "click one box at a time" work-flow is a huge usability nightmare.
TIA
hm, seems like i heard of
hm, seems like i heard of something like that at one point but i'm not coming up with anything right now. yeah clicking the boxes one by one is tedious but fortunately it's not something you have to do all the time, and overall it's probably a good thing to be deliberate when setting up site permissions anyway.
When a user has multiple
When a user has multiple roles, the permissions are OR-ed together: If one role allows and another doesn't, then the allowing one wins.
This means that if a user gets a permission from several roles, that permission can't be revoked unless you remove all those roles from the user. So, if you need to remove some specific user permissions easily, use additional small single-purpose roles for them.
Permissions don't apply to user #1. The code exempts that user account explicitly from any permission checking.
This mechanism often makes it hard to use more than one access control module at the same time, because one module may restrict access to some content and another one may allow access (and win). There have been patches for allowing some content access modules to cooperate, such as http://drupal.org/node/196922 which can be used with the og, domain, and taxonomy_access modules.
The logic may work a bit differently inside a particular access control module. For example, the taxonomy_access module, which gives to roles permissions for categories, follows an "allow-deny-ignore" logic when a node is tagged with multiple categories and can be accessed though some of them. Then, after that role's permissions for that node have been decided in this way, the usual core logic takes over again.