Hello,
I've been struggling with a way to control access to certain website content, some of which undergo a publication workflow using Module Grants and Revisioning and some of which bypass the workflow.
In a nutshell, I have anonymous users, authenticated users, editors, and authors. I want to allow anonymous users (and authenticated users) to view certain content of a specific type (e.g. Pages) but not other content of the same type that are only for authenticated users. Similarly, I have several content types, some of which undergo a publication workflow, in which the content is entirely for viewing by authenticated users only, and other content types that are for viewing by anonymous and authenticated users.
I've tried using Content Access module, and node privacy byrole module but both result in 'access denied' messages on pages that I thought I configured the permissions correctly on the module settings.
I'm posting here (rather than CA or NPBR) since the important feature of my website is the publication workflow and content access needs to be worked around that.
I've also considered using TAC lite - is this my only alternative? Have others been successful in implementing node access control similar to mine using CA or NPBR in conjunction with Module Grants and Revisioning? If so, I'd really appreciate some general advice and direction to accomplish this.
Thanks in advance for any help.
Comments
Comment #1
rdeboerHi dleong,
Have you looked at or tried the tutorials below and compared your requirements to what these three increasingly more elaborate publication workflows are capable of, i.e. have you done a gap analysis?
o Revisioning at its simplest
o Revisioning with categorised content , using TAC-Lite
o Revisioning with state-based content access control, using Workflow
Note, that the creation of new and moderated revisions can be switched on/off per content type (go to /admin/content/types and press the edit link for the content type in question; then look under "Workflow settings".
Together with role permissions that should get you a long way.
You don't mention anything about taxonomies (eg departments, regions...),so it is not clear to me why you feel TAC (or TAC-Lite) would be required in your case.
The Workflow module might be useful (in combination with Revisioning, see above tutorial)... again it depends on your exact requirements -- if you follow the tutorials above you'll find out what's missing for you, so that you can ask more specific questions.
What is it in particular that makes you convinced that Content Access and Node Privacy By Role are (both) mandatory for what you are trying to solve?
See also: http://drupal.org/node/410572
Comment #2
dleong commentedThanks so much for replying, Rik.
I based much of my publication workflow from what I learned in the 'Revisioning with state-based content-access control' tutorial. My apologies, I forgot to mention that I use the workflow module as well.
Under the workflow settings section of my content types, the types that go thru the workflow have 'create new revision' and 'new revisions in moderation' boxes checked (as per the tutorial) and the content types that bypass the workflow have only the 'create new revision' checked. Would 'view revisions' permission under the node module of the User management/permissions page need to be granted for those roles I want to be able to view those content types that have 'create new revision' checked?
I am using the taxonomy module already to keyword index my content - so I thought TAC lite would be a reasonable choice by adding a vocabulary to separate public vs. private content. I found the third tutorial perfect for setting up my site's publishing workflow but without some access control, all the content is publicly visible and we have some material we would like accessible only by authenticated members.
I'm not convinced that CA or NPBR is the solution nor am I bound to using either of them; if, in your experience (which I can say for certain is MUCH more than mine using the Drupal environment) there is a better or more established way of accomplishing what I want, I'd really appreciate the assistance. Perhaps CA or NPBR is the way to go but I'm just using them incorrectly in conjunction with permission settings in workflow or revisioning....
Thanks again,
Dennis
Comment #3
rdeboerHi Dennis,
Before we jump to solutions (to what you may not need), shall we take stock for a minute and clarify what the issue is? I have no doubt that you know, but some of the requirements may be in your head and not explicit on this forum, yet.
But I'm intrigued and would like to find out why a simple combination of "Module Grants + Revisioning + Workflow" wouldn't work for you... (maybe when we've sorted this out, we can publish our experience in another tutorial...?).
So to better understand what you need, can you please clarify some details...
You talk about "public" vs "private"... By this do you mean "visible to anonymous users" vs "visible to authenticated users (in some role)"?. If this is the case, then I don't think you need to assign the public/private categories, as this is already covered by the published/unpublished flag in combination with role permissions.... which would simplify things in that TAC(-Lite) would not be required...
You say: "without some access control, all the content is publicly visible".... As far as I know, content is only immediately visible publicly when the administrator ticked the "Published" box under Content management >> Content types >> edit >> "Workflow settings", for the content type in question. My recommendation in the context of publication workflows is to make sure "Published" is unticked, as it normally doesn't make sense to make content visible for all to see *before* it has been put through an approval (i.e. workflow) process. The primary goal of the Module Grants+Revisioning module pair is to deal properly with this situation, that is to handle access control of unpublished (as well as published) content.
I suggest that initially you disable the TAC-Lite, Content Access and Node Privacy By Roles modules for now, just so that whatever it is that's not working for you sticks out like a sore thumb. Then we can progress from there one step at a time, rather than throwing too many variables into the mix at once, as this make it hard to pinpoint what exactly isn't working for you.
Finally to answer one of your questions.... if Module Grants is enabled, then if content is UNpublished, the user (logged-in or not) must have (at least) the "view revisions" permissions to view that content.
Keen to hear how you go...
Rik
Comment #4
dleong commentedRik,
Thanks for the assistance. I'll address each of your questions and do my best to clarify the situation:
Firstly, you're spot on about public vs. private. I would add that this distinction refers to users accessing PUBLISHED content. So I have published content that should be visible only to anonymous (and authenticated) users and other published content that should be visible only to authenticated users. Within authenticated users, there would be registered visitors as well as our organization's staff comprised of authors, editors, and admins. While there are distinct categories of authors and editors (e.g. nurses vs. physicians vs. pharmacists who produce different content), our organization is small enough that all authors/editors can have viewing/editing privileges regardless of the category. Registered visitors may also be subcategorized to different groups so that some may have access to certain published content and others may not (e.g. those who would subscribe to created book content). Using workflow states and triggers, I have set up the publishing workflow utilizing the different roles in our organization so that unpublished content becomes un-editable by authors once it goes to review, it can be 'sent' back to draft for further revisions by authors, published content can be revised as updated information becomes available, etc.
"The primary goal of the Module Grants+Revisioning module pair is to deal properly with this situation, that is to handle access control of unpublished (as well as published) content."
Secondly, I think I've achieved adequate access control of unpublished content as it goes through the publishing workflow thanks to the tutorials you pointed out earlier. What I'm struggling with is customizing the access control of published content to accommodate the different categories of users that will be visiting our site. If the module pair can do this without the addition of more access control modules, then I've overlooked it so far.
I've disable TAC-lite, CA, and NPBR. Under the node module of the permissions page, 'view revisions' is granted to our admins, authors and editors but not anonymous or authenticated, and 'revert revisions' is granted to admins and editors only. As a result, unpublished content behaves as it should as it goes through the workflow.
Thanks again,
Dennis
Comment #5
rdeboerHi Dennis,
Congratulations on getting the workflow part working!
By the way, what do you use the triggers for? As you know, triggers aren't strictly necessary for the separation of author and moderator responsibilities. Did you just use a trigger to enhance the moderator's user experience as outlined in the tutorial or for something more substantial?
In the context of drupal, "user categories" is a bit confusing, as "categories" is often associated with content taxonomies (aka vocabularies). "Users" have "roles".
So what I understand is you have:
o anonymous users (i.e. visitors to the website that don't log in)
o an Author role
o an Editor (=Moderator?) role
o a Registered Visitor role
o a Book Subscriber role
Are there more? Where do nurses, physicians and pharmacists differ in what they can/cannot do?
I note, that users may have multiple roles (this feature comes out of the Drupal box: User management >> Users >> edit).So some users starting in the Registered Visitors role, may at some point also gain the Book Subscriber role (if they pay you enough -- haha).
In terms of content, it appears you may need:
o a taxonomy/category/vocabulary that holds, at a minimum, a "book" and an "other" term, or
o a book content type
To start with the second point, you know that out of the box, Drupal allows you to assign edit and delete permissions per content type, e.g. per book content type. However, as explained in the tutorial(s), these permissions, if granted, override anything you may want to do with the Workflow or TAC-Lite modules, destroying all your good work regarding revisions and publication. So going down this path is unlikely to get you very far.
You may be able to do some more work with the workflow module.
Workflow's access grants apply per workflow/content type(s) combination. By that I mean that if you want access grants for some content type (say a custom "book content" type), to be different from all other content that participates in a workflow, then you could create a second workflow for this (book) content type. It would most likely be identical to the workflow for the other content types w.r.t its states and transitions, but as far as the view/edit/delete grants go, the "book content workflow" would allow the Book Subscriber role to view (published) "book content" whereas the Registered Visitor role would be denied all access.
Could be worth a try?
Alternatively, you could enhance the workflow you already have with a TAC-Lite approach.
I suggest you go through the "Revisioning with categorised content" again, but adapting it for your needs, i.e. changing some of the wording, e.g "department" vocabulary becomes "content category" (with terms "book" and "other" for starters). With the simple taxonomy in place, you can control for all roles (Authors, Book Authors, Registered Visitors, Book Subscribers) whether they're allowed to create (via the normal permissions), update and/or delete (via TAC-Lite) any piece of content and distinguish between "book" and "other" categories.
The Module Grants module will make sure that TAC-Lite and Workflow work together in harmony.
Comment #6
dleong commentedHi Rik,
I use triggers to enhance the workflow by e-mailing editor/reviewer roles when there are new content submissions (or the authors when the content is returned back to a draft state for additional revisions) as well as to automatically publish the most recent pending revision once the content moves from review to publish state (to avoid the 'Publish/Unpublish this revision' hyperlink appearing on the node page when viewed by editors, I disabled their 'publish' and 'unpublish' permissions under the revisioning module).
You are mostly correct in your understanding of the different roles assigned to users (sorry for my use of confusing terms - I'm still new to Drupal but learning a lot as quickly as I can). To clarify, I don't have an 'author' role per se, but I have 'pharmacist', 'nurse', 'medical' roles that have permission to create certain content types (e.g. pharmacists are able to create/edit only drug-related content types, nurses only patient-care related content types, etc) so they are my authors. The medical role is primarily involved in the content review process of the workflow. I also have a 'student' role that I'm trying to set up to have a time-limited account (i.e. their account/ login privileges expires after a specified time).
I have created new content types specifically for drug-related and patient-care related content (a listing of drugs and a book/manual on patient-care aspects, respectively) but I also still use the more 'generic' Page and Story types for other content. I think therein lies part of my problem - some pages/stories are meant to be viewed by anonymous users, while others are meant to be viewed by registered (authenticated) users. The Pages content type is not included in the publishing workflow (since either I or another administrator will be creating them) but 'Story' type is included. All content types are tagged with drug/medical-related keywords that I've created with the Taxonomy module.
Re: assignment of edit/delete permissions per content type via the Node module
Agreed - not an option for content that uses the publishing workflow; however, I can assign those permissions to types that don't use the workflow (e.g. the 'Pages' content type).
At the moment, I have the same single publishing workflow assigned to all my content types that require it. I thought about creating separate workflows for different content types in order to set different role permissions for 'view posts in [publish] state' within the workflow access control but because of the number of roles and states involved (I have creation, draft, editorial review, medical review, executive review, publish states), even setting up the first workflow with appropriate transitions and triggers was quite arduous (checkbox and dropdown list fatigue....I'll stop whining now) and I wasn't sure if it was the most efficient way meeting my needs. Plus, the addition of workflows per content type still doesn't address the issue of having different levels of access for one content type (e.g. some but not all page type content restricted to registered user access).
I'll go through the second tutorial again and look to using TAC-lite; I'll post any additional roadblocks and/or results if you don't mind. I guess it's safe to say that CA and NPBR are not options then?
Thanks,
Dennis
Comment #7
rdeboerHi Dennis,
Wow that's one hell of a workflow you've got there! A great test-case!
"All content types are tagged with drug/medical-related keywords that I've created with the Taxonomy module."
The plot thickens. If you extensively use taxonomies already, then I think TAC-Lite may be the way to go (in combination with your existing workflow). Like you say yourself: you want your access grants to depend not just on the type of content and its state, but also on taxonomy term set inside each individual piece of content.
Regarding node module options... "not an option for content that uses the publishing workflow; however, I can assign those permissions to types that don't use the workflow (e.g. the 'Page' content type).
Again, watch out with those pesky node module permissions. Content of type 'Page' may not participate in workflow, but if it has a taxonomy attached and you want to control access based on the taxonomy values (terms), then make sure you switch off the edit & delete permissions of the node module for the 'Page' content type or they'll supersede anything you try to do with the TAC-Lite or Workflow modules using that content type. "create" permissions are fine, as these aren't covered by TAC-Lite or Workflow and you do want certain roles to be able to create content.
If there are lots of roles AND lots of content types AND lots of states involved, then the Workflow-only approach will cause your set-up to explode (I think there might be a Cartesian product lurking in there somewhere).... I think you have started to feel some of that pain... In your case I would try the TAC-lite approach with a single workflow first. I don't know of a way to copy workflows in the Workflow module (but I'm not it's author or maintainer).
RE: performance.... I don't think that you'll notice any performance deterioration when using multiple workflows, it's not CPU intensive.
Your system of permissions and access grants is quite complex. Should you run into trouble and want to peek "under the bonnet" you can uncomment a couple of debug lines in the /sites/all/modules/module_grants/module_grants.module.
In the file
module_grants.modulethere are 2 lines starting withSimply remove the leading slashes from these 2 lines.
Then click around your site as per usual and see what the debug messages tell you. In interpreting these messages note, that access codes greater than zero mean "access granted", while 'access=0' means "access denied".
I'm not saying that you shouldn't use the Content Access or Node Privicy By Rules modules, it's just that I have no experience with these, so can't comment. Plus I still have the feeling that your problem domain is by and large one that is targeted by the TAC(Lite), Workflow and Revisioning modules, so why introduce more modules, hence more interactions and likelihood of cross-module interference.
From its description CA seems more of a user-interface layer on top of Drupal's existing permission mechanisms, rather than being a permission mechanism itself (but I could well be wrong). By all means, once you feel you've got things under control, switch it on and see what it does for you. Same for NPBR. You're not on a path of no return, you can always uninstall what's not working for you.
I would go one module at a time though --- that's probably ambitious enough in your business domain, it has so many variables.
Good luck!
Comment #8
rdeboerAnother useful tool to analyse node access grants can be found in the Devel module. Under Site building >> Modules click "Devel node access", then under Site building >> Blocks configure "Devel node access by user" to be in, say, the right side-bar.
Finally, under User management >> Permissions switch it on for all "authenticated users".
Now visit a node and you'll find that a table on the right of your screen will list what access grants each user has to that node:
I suspect though, that the access grants shown this way follow the core Node module approach, which means that they won't apply to unpublished content and also may tell you the wrong thing when you have multiple node access modules installed (e.g. Workflow and TAC-Lite together) in combination with Module Grants. As explained on its project page, Module Grants ANDs the access rights together between node access modules, whereas the core approach is to OR these.
Comment #9
dleong commentedThanks very much for all your help, Rik.
I'll post an update on my findings.
Comment #10
rdeboerThe patch mentioned in #453436: Add configurable setting that enforces explicit AND between multiple node access modules should greatly improve the way Module Grants works with other content access modules. It has been incorporated in Module Grants version 6.x-2.4
Comment #11
rdeboer