I want the users only have access to cases which is assigned to themselves and unassigned cases.
I used content_access module but it only enables me to set accesses based on content type and node by node. (if it had content access based on a view, it would solve my problem)
Besides I can restrict access to the casetracker related views, but the user can access the cases in recent posts!
Is there any way to edit casetracker.module to add a permission to it which uses a sql query for this purpose?

Comments

jmiccolis’s picture

jmiccolis commented

I'm sure that there is a way to edit casetracker.module to do what you want, but it sound to me like you may be better served by drupal's node_access system. Implementing a node access module that relies on the assignee to determine access rights would directly address the needs to mention.

JonoB’s picture

JonoB commented

Isnt it possible to achieve this using the casetracker_project_cases view?

Maybe adding an argument for Cases>Arguments>Case Tracker: Case status

Havent tried this myself in this instance (although I have used views to only allow access to casetracker to specific roles) ...just throwing it out there

masood_mj’s picture

masood_mj commented

The views cannot help because the illegal user can access it using recent posts or search engines or even links saved on a computer!. You know that views works in the presentation layer which is above access (security) layer.

thanks jmiccolis I will read the documents.

jmiccolis’s picture

jmiccolis commented

@masood_mj did you come up with a solution for your need here? This issue has come up again http://drupal.org/node/475538 and I'd like figure out a good way to address these sorts of needs.

pdarnell’s picture

pdarnell commented

My point from the other thread is that I need restrict users (using roles) to view only cases they authored.
I see that the URL casetracker/my gives all cases assigned to me,
If you could provide casetracker/myauthored to give all cases authored by me, and no links or tabs to get at other cases, I am good to go.

masood_mj’s picture

masood_mj commented

If you really want to use casetracker, you can edit the casetracker_basic.module and find casetracker_basic_case_access method. You can see that there is a restriction when the og module presents, but when you do not use og, it only uses the "access case tracker" permission. I've change this part like the following in order to permit users to have access to unassigned cases, cases assigned to them, and cases they've authored

if (!module_exists('og')) {
        return
        (user_access('edit any cases') || (int)$node->casetracker->assign_to == (int)$user->uid
           || (int)$node->uid == (int)$user->uid
           || (int)$node->casetracker->assign_to == 0);
}

But, Now, I do not use this module. I use CCK, CCK_Comment and OG. CCK enables me to prevent users to change priority and content of a task. Besides, it is more integrated with notifications module. I use OG to restrict access of a case to a group of people (Although you can use Node Access User Reference module to give permissions to the assigned user instead of og). CCK_Comment helps me to enable users to change only task progress by comment while case_tracker doesn't have these features.

masood_mj’s picture

masood_mj commented

pdarnell, you can use content access module which enables you to uncheck "view all contents" for each content type and check "view own contents". I think this will help you.
If you want this restriction only in view layer (Users can see the contents by urls or recent posts link). You can set access permissions in case tracker views and create your own views for "myauthored" links.

jmiccolis’s picture

jmiccolis commented
Status: Active » Closed (won't fix)

Setting this to won't fix. I think masood_mj has provided great detail on how you'd do this. We're not going to be making changes in case tracker itself to do this explicitly, as it's possible without modifying case tracker.