Hello to anyone else who would like to help, hopefully that includes you Rik!

I thought I had this all working correctly the other day, but then things
started to not make sense. So I'm hoping that by creating this post I'll
figure out my problem or someone else will see what my error is, and in the
end everyone will benefit from the discussion.

In creating this post I will out line speficically how my site is set-up for
permissions and workflows and then outline the tests that I have done.  I
have Bolded the things that I think are errors or a points
of confusion for me.  Things actually work pretty well for me until the
very end.

I wasnt' sure whether to put this post in the Revisioning Issues or the Module
Grants Issues, but since the problems seem to boil down to permissions I felt
it was most appropriate to put it here in the Module Grants Issues.

I know this may quailify as the biggest single post on Drupal.org, but I felt
I need to outline in detail exactly what I was doing to try to make this work.

So thanks in advance for any help you can give me, and please pardon any typos.  I
have done my best to document this as I did it.

Steve

Here's the setup of the site:

2 content types: Blog and Page, each have the following default workflow settings:

  • ticked - Create new revision
  • ticked - New revision in draft, pending moderation (requires "Create new revision")
  • ticked - Create new revision: Every time page content is updated, even when saving content in draft/pending moderation

4 users each with the one of the roles with the following permissions:

  • Contributor - Blog
    • ticked - create blog entries - blog module
    • ticked - access content summary - module_grants module
    • ticked - unpublished blog access - module_grants module (with
      patch from http://drupal.org/node/490580 )
    • ticked - access content - node module
    • ticked - view revisions - node module
    • ticked - edit revisions - revisioning module
  • Moderator - Blog
    • ticked - create blog entries - blog module
    • ticked - access content summary - module_grants module
    • ticked - unpublished blog access - module_grants module (with
      patch from http://drupal.org/node/490580 )
    • ticked - access content - node module
    • ticked - revert revisions - node module
    • ticked - view revisions - node module
    • ticked - edit revisions - revisioning module
  • Contributor - Page
    • ticked - access content summary - module_grants module
    • ticked - unpublished blog access - module_grants module (with
      patch from http://drupal.org/node/490580 )
    • ticked - access content - node module
    • ticked - create page content - node module
    • ticked - view revisions - node module
    • ticked - edit revisions - revisioning module
  • Moderator - Page
    • ticked - access content summary - module_grants module
    • ticked - unpublished blog access - module_grants module (with patch from http://drupal.org/node/490580 )
    • ticked - access content - node module
    • ticked - create page content - node module
    • ticked - revert revisions - node module
    • ticked - view revisions - node module
    • ticked - edit revisions - revisioning module

5 Workflow States

  • (creation)
  • in draft - (should) only allow the authors to edit
  • in review - (should) only allow only moderators of the content type to
    edit
  • live, published - (should be) viewable to all, (should) allow authors
    and only moderators of the content type to make new unpublished revisions,
    (should) allow only moderators of the content type to edit published versions
  • live, published, promoted to front page - (should be) viewable to all,
    (should) allow authors and only moderators of the content type to make new
    unpublished revisions, (should) allow only moderators of the content type
    to edit published versions

Note: Workflow Triggers and Actions publish the node upon transitions
to both live states. (see http://drupal.org/node/493246 for a discussion creating
states and promoting to the front page)

Workflow Transtions and Allowed Transitions by Role

  • author may do these transitions:
    • from Creation   to   in draft
  • contributor roles may do these transitions:
    • from Creation   to   in draft
    • from Creation   to   in review
    • from in draft   to   in
      review
    • from live, published    to   in
      draft         (should be a new revision, leaving previous
      version published)
    • from live, published   to  in
      review        (should be a new revision, leaving previous version
      published)
    • from live, published, promoted to front page   to   in
      draft        (should be a new revision, leaving previous
      version published)
    • from live, published, promoted to front page   to  in
      review       (should be a new revision, leaving previous version published)
  • moderator roles may do these transitions:
    • from Creation   to   in draft
    • from Creation   to   live, published
    • from Creation   to   live, published,
      promoted to front page 
    • from in draft   to  live,
      published
    • from in draft   to  live,
      published, promoted to front page 
    • from in review   to  in draft
    • from in review  to  live, published
    • from in review  to  live, published,
      promoted to front page 
    • from live, published  to   in draft (should
      be a new revision, leaving previous version published)
    • from live, published  to  from live,
      published, promoted to front page       (should be a new published
      revision)
    • from live, published, promoted to front page  to   in
      draft       (should be a new revision, leaving previous version
      published)
    • from live, published, promoted to front page  to  live,
      published       (should be a new published revision)

Workflow tab permissions is off for all roles

Workflow Access Control

  • in draft - (should) only allow the authors to edit
    • Roles who can view posts in this state:
      • anonymous user
      • authenticated user
    • Roles who can edit posts in this state:
      • author
    • Roles who can delete posts in this state:
      • no roles can delete
  • in review - (should) only allow only moderators of the content type to
    edit
    • Roles who can view posts in this state:
      • anonymous user
      • authenticated user
    • Roles who can edit posts in this state:
      • Moderator - Blogs
      • Moderator - Pages
    • Roles who can delete posts in this state:
      • no roles can delete
  • live, published - (should be) viewable to all, (should) allow authors and
    only moderators of the content type to make new unpublished revisions, (should)
    allow only moderators of the content type to edit published versions
    • Roles who can view posts in this state:
      • anonymous user
      • authenticated user
    • Roles who can edit posts in this state:
      • author
      • Moderator - Blogs
      • Moderator - Pages
    • Roles who can delete posts in this state:
      • no roles can delete
  • live, published, promoted to front page - (should be) viewable to all,
    (should) allow authors and only moderators of the content type to make new
    unpublished revisions, (should) allow only moderators of the content type
    to edit published versions
    • Roles who can view posts in this state:
      • anonymous user
      • authenticated user
    • Roles who can edit posts in this state:
      • author
      • Moderator - Blogs
      • Moderator - Pages
    • Roles who can delete posts in this state:
      • no roles can delete

 

OK, so now I'll review how I tested this set-up and point out the things
that don't work the way expect them to based on all of the above and hopefully
we can find resolutions to.

  1. All existing content is removed from the site, permissions are rebuilt
  2. Create new content
    with Contributor Roles
    • User with Contributor - Blog role creates 2 peices of new content:
      1 saved to the 'In Draft' state, the other saved to the 'In Review' state.
      • Check the 'Manage content'
          - Note I commented out of the code the tab for "I can View'
        • 'accessible-content/i-created' shows both new blog posts
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content/i-created/not-published' shows both new
          blog posts
        • 'accessible-content' shows both new blog posts
        • 'accessible-content/i-last-modified/published' shows nothing
        • 'accessible-content/i-last-modified/not-published' shows both
          new blog posts
        • 'accessible-content/i-can-edit' shows the one blog post that
          is 'In Draft' state
        • 'accessible-content/i-can-edit/published' shows nothing
        • 'accessible-content/i-can-edit/not-published' shows the one
          blog post that is 'In Draft' state
      • Test Passed - Everything is showing up as expected
      • However,
        • to me it doesn't make sense to have 2 sub-tabs ('In
          Draft/Pending Publication' and  'Not Published') that
          show the same thing.  I think the 'Not Published' sub-tab
          could be removed and simplfy the User Interface.
    • User with Contributor - Page role creates 2 peices of new content:
      1 saved to the 'In Draft' state, the other saved to the 'In Review' state.
      • same as for creating content as with Contributor - Blog role, except
        of course for Page Content-types
  3. Switch to Moderator Roles
    • User with Moderator - Blog
      • Shows 1 revision pending in Alert Block - as expected
      • Check the 'Manage content'
        • 'accessible-content/i-created' shows nothing
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content' shows nothing
        • 'accessible-content/i-last-modified/published' shows nothing
        • 'accessible-content/i-last-modified/not-published' shows nothing
        • 'accessible-content/i-can-edit' shows the one blog that is
          'In Draft' state
        • 'accessible-content/i-can-edit/published' shows nothing
        • 'accessible-content/i-can-edit/not-published' shows the one
          blog that is 'In Draft' state
      • Test Passed - Everything is showing up as expected
      • Again, 'In Draft/Pending Publication'
        and  'Not Published' sub-tabs are redundant.
    • User with Moderator - Page
      • same as for Moderator - Blog role, except
        of course for Page Content-types
  4. Edit 'In Review' content with Moderator Roles
    • User with Moderator - Blog
      • edit and change state to 'In Draft' (Rules sent e-mail confirming
        the change)
      • Check the 'Manage content'
        • 'accessible-content/i-created' shows nothing
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content' shows the blog post just edited, state
          'In Draft"
        • 'accessible-content/i-last-modified/published' shows nothing
        • 'accessible-content/i-last-modified/not-published' shows nothing,
          why does it show nothing?
        • 'accessible-content/i-can-edit' shows nothing
        • 'accessible-content/i-can-edit/published' shows nothing
        • 'accessible-content/i-can-edit/not-published' shows nothing
      • Test Almost Passed - I don't understand results of 'accessible-content/i-last-modified/not-published'
      • Note I didn't change state the first time I edited the blog, and
        discovered this when I switched to the Contributor Role (step 5 below),
        so I went back and did it again.  This time I got the confirmation
        e-mail from my Rules Module configuration.
    • User with Moderator - Page
      • edit and change state to 'In Draft' (Rules sent e-mail confirming
        the change)
      • same as for Moderator - Blog role, except of course for Page Content-types
  5. Switch to Contributor Roles
    • Revisions Alert Box show 2 Revisions Pending
      for both roles
      • Unexpected result, I thought this only occurred with Moderators,
        but I like having it for the Contributor Roles
    • User with Contributor - Blog
      • Check the 'Manage content'
        • 'accessible-content/i-created' shows both blog posts
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content/i-created/not-published' shows both new
          blog posts
        • 'accessible-content' shows both blog posts, why is
          this? last moderator edited one of the last.
        • 'accessible-content/i-last-modified/published' shows nothing
        • 'accessible-content/i-last-modified/not-published' shows
          both blog posts,           why
          is this? last moderator edited one of the last.
        • 'accessible-content/i-can-edit' shows both blog posts
        • 'accessible-content/i-can-edit/published' shows nothing
        • 'accessible-content/i-can-edit/not-published' shows both blog
          posts
      • Test Almost Passed - I don't understand results of 'accessible-content'
        and 'accessible-content/i-last-modified/not-published'
    • User with Contributor - Page
      • Check the 'Manage content'
        • 'accessible-content/i-created' shows both page posts
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content/i-created/not-published' shows both new
          page posts
        • 'accessible-content' shows the page post that was never sent
          to moderator
        • 'accessible-content/i-last-modified/published' shows nothing
        • 'accessible-content/i-last-modified/not-published' shows
          both new page posts, why
          is this? last moderator edited one of the last.
        • 'accessible-content/i-can-edit' shows both page posts
        • 'accessible-content/i-can-edit/published' shows nothing
        • 'accessible-content/i-can-edit/not-published' shows both page
          posts
      • Test Almost Passed - I don't understand results of 'accessible-content/i-last-modified/not-published'
  6. Edit both posts that are 'In Draft' state with Contributor Roles and switch
    both to 'In Review' so that they can be sent to the 2 different 'Live' states
    later
    • Revisions Alert Box dissappeared for both roles
    • User with Contributor - Blog
      • Check the 'Manage content'
        • 'accessible-content/i-created' shows both blog posts with
          'In Review' state
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content/i-created/not-published' shows both blog
          posts with 'In Review' state
        • 'accessible-content' shows both blog posts with
          'In Review' state
        • 'accessible-content/i-last-modified/published' shows nothing
        • 'accessible-content/i-last-modified/not-published' shows
          both blog posts with 'In Review' state
        • 'accessible-content/i-can-edit' shows nothing
        • 'accessible-content/i-can-edit/published' shows nothing
        • 'accessible-content/i-can-edit/not-published' shows nothing
      • Test Passed - everything as expected, although 'not-published'
        sub-tab is redundant
    • User with Contributor - Page
      • same as for creating content as with Contributor - Blog role,
        except of course for Page Content-types
  7. Switch to Moderator Roles
    • Revisions Alert Box show 2 Revisions Pending for both roles
    • User with Moderator - Blog
      • Check the 'Manage content'
        • 'accessible-content/i-created' shows nothing
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content' shows the one blog post that was
          edited by the moderator before with 'In Review' state,
          but why?  The last person to modify the content was the
          Contributor          .
        • 'accessible-content/i-last-modified/published' shows nothing
        • 'accessible-content/i-last-modified/not-published' shows nothing
        • 'accessible-content/i-can-edit' shows both blog posts with
          'In Review' state
        • 'accessible-content/i-can-edit/published' shows nothing
        • 'accessible-content/i-can-edit/not-published' shows both blog
          posts with 'In Review' state
    • User with Moderator - Page
      • same as for creating content as with Contributor - Blog role,
        except of course for Page Content-types
    • Test Almost Passed, don't understand results of 'accessible-content'
  8. Edit both posts that are 'In Review' state with Moderator Roles and one
    post to each of the 2 different 'Live' states
    • Revisions Alert Box dissappeared for both roles
    • User with Moderator - Blog
      • Check the 'Manage content'
        • 'accessible-content/i-created' shows nothing
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content' shows nothing
        • 'accessible-content/i-last-modified/published' shows
          both blog posts with 1 'Live' state and 1 'Live, Front page'
          state
        • 'accessible-content/i-last-modified/not-published' shows
          nothing
        • 'accessible-content/i-can-edit' shows nothing
        • 'accessible-content/i-can-edit/published' shows
          both blog posts with 1 'Live' state and 1 'Live, Front page'
          state
        • 'accessible-content/i-can-edit/not-published' shows nothing
    • User with Moderator - Page
      • same as for creating content as with Moderator - Blog role,
        except of course for Page Content-types
    • Test Passed, get exactly what I expected
  9. Switch to Contributor Roles
    • No Revisions Alert Box for either role
    • User with Contributor - Blog
      • Check the 'Manage content'
        • 'accessible-content/i-created' shows nothing
        • 'accessible-content/i-created/not-published' shows both
          blog posts with 1 'Live' state and 1 'Live, Front page' state
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content' shows nothing
        • 'accessible-content/i-last-modified/published' shows nothing
        • 'accessible-content/i-last-modified/not-published' shows
          nothing
        • 'accessible-content/i-can-edit' shows nothing
        • 'accessible-content/i-can-edit/published' shows both blog
          posts with 1 'Live' state and 1 'Live, Front page' state
        • 'accessible-content/i-can-edit/not-published' shows nothing
    • User with Contributor - Page
      • same as for creating content as with Contributor - Blog role,
        except of course for Page Content-types
    • Test Passed, get exactly what I expected
  10. Edit both posts that are in the 2 different 'Live' states with Contributor
    Roles
    save to 'In Draft' and 'In Review' states.
    • After Edits Revisions Alert Box shows 1 pending Revision for each
      role
    • User with Contributor - Blog
      • Check the 'Manage content'
        • 'accessible-content/i-created' shows both blog
          posts with 1 'In Draft' state and 1 'In Review' state
        • 'accessible-content/i-created/not-published' shows both blog
          posts with 1 'In Draft' state and 1 'In Review' state
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content' shows both blog
          posts with 1 'In Draft' state and 1 'In Review' state
        • 'accessible-content/i-last-modified/published' shows nothing,
          why?
        • 'accessible-content/i-last-modified/not-published' shows
          nothing, why?
        • 'accessible-content/i-can-edit' shows 1 blog
          posts 'In Draft' state
        • 'accessible-content/i-can-edit/published' shows 1 blog
          posts 'In Draft' state
        • 'accessible-content/i-can-edit/not-published' shows nothing
    • User with Contributor - Page
      • same as for creating content as with Contributor - Blog role,
        except of course for Page Content-types
    • Test Almost Passed, get most of what I expected, but
      I don't understand results of 'accessible-content' and 'accessible-content/i-last-modified/published'
    • I think there is something I don't quite understand about Revision
      Statuses.
  11. Switch to Moderator Roles
    • Revisions Alert Box show 2 Revisions Pending for both roles, Why?  Shouldn't
      there just be one?
    • User with Moderator - Blog
      • Check the 'Manage content'
        • 'accessible-content/i-created' shows nothing
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content/i-created/not-published' shows nothing
        • 'accessible-content' shows nothing
        • 'accessible-content/i-last-modified/published' shows both
          blog posts with 1 'In Draft' state and 1 'In Review' state, Why?
        • 'accessible-content/i-last-modified/not-published' shows
          nothing
        • 'accessible-content/i-can-edit' shows 1 blog post
          with 1 'In review' state and 1 page post 'In Review' state. BIG
          PROBLEM HERE!!  Now Blog moderator has a Page post listed!
        • 'accessible-content/i-can-edit/published' shows 1
          blog post with 1 'In review' state and 1 page post 'In Review'
          state. BIG PROBLEM HERE!!  Now Blog moderator has a
          Page post listed!
        • 'accessible-content/i-can-edit/not-published' shows
          nothing
    • User with Moderator - Page
      • same as for creating content as with Contributor - Blog role,
        except of course for Page and Blog Content-types reversed
    • Test FAILED!  Blog Moderators should not have access to
      Pages and Page Moderators should not have access to Blogs.
    • I have no idea where my permissions are incorrect, if that
      is indeed the problem

So I'll stop here. Tommorrow I will see if I can figure out where this problem
stems from exactly, but if you have any ideas I would love to hear them.

Comments

rdeboer’s picture

rdeboer
Location Melbourne
commented

Yes Steve,
I think you broke the record for the longest post on drupal..... or anywhere.... haha.

... to me it doesn't make sense to have 2 sub-tabs ('In Draft/Pending Publication' and 'Not Published') that show the same thing. I think the 'Not Published' sub-tab could be removed and simplfy the User Interface.

Because drupal core offers us little in terms of clearly defining what concepts like "draft", "pending" and "moderation" really mean, these are a little blurred in Revisioning, espeically when used without Workflow. There have been various discussion about this on the Revisioning forum. The introduction of an additional revision info database table with distinct states for "draft", "pending", "published", "previously published" etc. would help... And complicate matters from a programming point of view... But improvements are being developed.

In the mean time...
"Not published" can mean either "never published before" or "previously published", aka unpublished.
A "never published before" node (e.g. a single revision) is considered pending (as well as not published), and so is a currently published node for which a new, yet to be published revision exists.
But an unpublished/previously published node (i.e. one that is taken from public view altogether) is not considered to be pending....
So there you have two cases where In draft/Pending is different from Not Published.

You're probably on to something and I need to investigate it more, but this is all I have time for now, Steve; sorry.

Rik

wickwood’s picture

wickwood commented

Thanks for the quick reply Rik.

Any ideas as why my Blog Moderators have access to edit Published Pages and Page Moderators access to Published Blogs?

This is the last test I did in the post, and this is where things are breaking down for me.

Something has come up that will prevent me from reviewing this more today, but I'll come back to it tomorrow.

Steve

P.S. Do you have the phone number for Guiness World Records? LOL

rhouse’s picture

rhouse commented

Hi Steve,

Did I notice a typo in your contributor and moderator - page setups? You show them as having unpublished blog access, not unpublished page access.

Ron.

wickwood’s picture

wickwood commented

Oh yes, Ron, that is just a typo. A victim of sloppy copy and paste! Good eye!

Steve

rdeboer’s picture

rdeboer
Location Melbourne
commented

Hi Steve,
Haven't had time to replicate your setup so the following may be a red herring, but at least it's some food for thought....

Blog Moderators should not have access to Pages and Page Moderators should not have access to Blogs.

Thinking about this from a birds eye view... We can establish this at the node module level buy setting "edit any page" and "edit any blog" permissions for the associated roles. But as we know, if we do this then drupal core will ignore anything you've set up with any other content access module, which defeats the purpose of the fine-grained access control we're aiming to achieve.
So you've correctly switched OFF edit permissions in the node module and now it's up to the Workflow module to grant edit access ... PER CONTENT TYPE....Oops....
The Workflow module is about "states" and so are the permissions you assign to them. There isn't that extra level of granularity to assign grants by state AND content type....
So that's why, I think, moderators can edit content regardless of the content type, provided the content is in the right workflow state.

But help may be on its way.

Remember TAC-Lite and the tutorial for "Revisioning for categorised content"?

Have a read of that tutorial in the context of what you're trying to achieve.
Rather than creating a vocabulary "department" with terms "arts", "science" etc.... you could create a vocabulary "content type" with terms "page", "blog" etc...
Then you should have a system where Workflow Access gives you seggragation by state, while TAC-Lite will allow you to seggragate by content type.

Haven't worked out the details, but sounds like it could work....

Good luck!

Rik

wickwood’s picture

wickwood commented

Thanks Rik,

I haven't had time to work on this over the past couple of days, but I have had time to mull things over in my mind, and I agree I think the problem is with the workflow states as you suggest.

But why does the problem not exist for unpublished content? Is this because of the patch by Ron? ( http://drupal.org/node/490580#comment-1706620 )

Also, I agree that using TAC-lite maybe the work around for this, or expanding Ron's patch to include published content as well if that is related to this problem.

Well, I'm back at it after lunch and will post back later with any results or lack there of.

Steve

wickwood’s picture

wickwood commented

Here's a summary of what I have looked at to try and solve this problem.

  • TAC-Lite Module
    Rejected because:
    1. It appears that TAC-Lite makes this incredibly complex at least in
      my situation because I have several content types and user roles.  And
      I'm already using this for controlling access to certain types of content
      based on User Roles for Polls, Forums, and Events.
    2. I don't want authors to have to select the content type Taxonony term.  There
      may be away to set this automatically, but there must be an easier wat
      to do this.
    3. Note I didn't actually try this solution, so I really don't know if
      it will work or not
  • Content Access Module
    Rejected because:
    1. I installed this and for the Page Content Type set Access Control for
      'Edit any content' to the Page Moderator Role, 'Edit own content' to
      Page Contributor Roles'.  And then did the same for the Blog Content
      Type
    2. Rebuilt Permissions for the site
    3. Tested with the existing content on the site from the Test I orginially
      posted, and Page Moderators still had access to edit published Blogs
      and Blog Moderators still had access to edit published Pages.
    4. Created brand new content, same result
    5. Changed the setting 'Give content node grants priority:' to -2 for
      the Blog and Page Conent Types, created new content, same result.
    6. So it appears that installing 'Content Access' Module has no effect
      with the configuration I have with Module Grants, Revisioning and
      Workflow modules.
    7. Uninstalled Content Access Module
  • Set-up separate Workflows for each Content Type
    - THIS WORKS!
    1. This is a tedious way to accompish this too, but I think it is simplier
      than using TAC-lite when you have other uses for that module and/or many
      user roles and content types as in my case.
    2. My initial testing indicates that this method solves the problem of
      preventing Blog moderators from having edit priviledges on Published
      Pages and vise-versa. If I discover a problem, I will of course report here.
rdeboer’s picture

rdeboer
Location Melbourne
commented

Great research Steve!

You're doing the community a service. I may update my "Revisioning with state-based access control" tutorial to include some of your very useful findings.

I don't want authors to have to select the content type Taxonony term. There may be away to set this automatically, but there must be an easier way to do this

Just before you discard TAC-Lite completely....
In your setup do you have a single Author role that can create content of more than one type, or do you have distinct Blog Author and Page Author roles that each can only create Blog and Page content respectively?
If the latter is the case, and my memory doesn't fail me, you'll probably find that with the TAC-Lite access grants correctly configured the Blog/Page Authors will find the taxonomy term (content type) preselected with no alternatives available (as they don't have access to them).
So they will not have to waste another click.

Rik

wickwood’s picture

wickwood commented

Thanks Rik,

I'm glad to contribute back to the community, but I must say I'm rather surprised that this far into the development of Drupal and with it's reputation to build community sites that these types of issues were not solved a long time ago. It seems like a basic need to me.

Anyways, to answer your question, I do have separate roles for each content-type named like:
Contributor - Page
Moderator - Page
Contributor - Blog
Moderator - Page
etc.

I also have roles like:
Campaign Committee
Campaign Steering Committee
Committee District Leader
Committee Officers
etc.

And I have set up a TAC-lite taxonomy called "Access Group" that I'm using (or trying to) control access to certain posts of the content-types Forums, Polls, and Calendar Events.

So my intention is, for example, that some site members will have role of Committee Officer and they can also create Forum Topics as Forum Contributor, and then they can set the "Access Group" so that forum post is available to the public, the entire committee, or just the officers.

But what I have noticed to this point is that the every option for the taxonomy "Access Group" is shown even if that person does not have that privilege to view it after it is created. This may be a result of a mis-setting on my part and I still need to go back and test everything again after I get the current issue solved.

One other thing though is that I have some people on the site who will be Contributors and Moderators for several content-types, and I don't want to leave it up to the user to make any selection for something like.

I nearly have all my workflows set-up for each content-type, and this strategy seems to work well. I of course need to do some extensive testing again though.

I'll keep you, and everyone else, posted to on my progress.
Steve

rdeboer’s picture

rdeboer
Location Melbourne
commented

Hi Steve,

"But what I have noticed to this point is that the every option for the taxonomy "Access Group" is shown even if that person does not have that privilege to view it after it is created"

This made me think of the second last paragraph of step #9 of the Revisioning for categorized content tutorial:

Finally, if the departmental content is to be viewed by the public, then use Scheme 4 (“public”) to grant view access only for all terms to anonymous users only. Do not include "authenticated users" in the "public" scheme as this will result in authors being able to create content for departments they don't belong to.

Could your issue benefit from a similar configuration?

Rik

wickwood’s picture

wickwood commented

Actually, my TAC-lite is working so that if a user does not have permission they do not see the options in "Access Group". I probably had something set incorrectly before, but yesterday I confirmed that things are working the way they are intended.

Steve

rdeboer’s picture

rdeboer
Location Melbourne
commented
Status: Active » Closed (fixed)

Great, I guess we can put this issue to bed, then?
Rik
PS: .... but I would love to see your findings included in some sort of write-up about your experiences, as you've found out so much to share with us