Hello! I absolutely love the Taxonomy Access module and the ways in which it can be used universally and easily to do access control across a site. I'm using it extensively for the membership management of my site. However, I am using it with other modules and add-ons (AMember for paid memberships, Userpoints to allow users who participate more to gain various levels of access to the site, etc.), and I am finding it very difficult to get all this working smoothly given that TA applies DENY after ALLOW.
An example: role1 is setup with limited access, role2 with increased access, then role3 with full (paid) access. A user registers and then works their way up to role2 through Userpoints. But now, Userpoints will have to remove them from role1 and add to role2, otherwise the DENY permissions in role1 would take presidence. Then, the role2 user decides to pay for access, and now AMember has to drop them from any other groups with DENY permissions before adding them to role3. You can see how this problem adds complexity and would require a lot of modifications to other modules.
I'm not sure why TA uses this order (or what deep logic would be affected by changing it around), but I really need to have the more permissive permissions have the highest priority so roles can be stacked. I am new to Drupal and my PHP skills are not very advanced, so I was rather lost while looking at the module code. I'm hoping someone can offer advice on changing the permission order around.
Thanks!
Comments
last
Taxonomy access only uses the last term for permissions
Drupal ecommerce, at http://www.drupalecommerce.com
http://www.drupalecommerce.com/troubleshooting
http://www.drupalecommerce.com/modulegroupings
http://www.drupalecommerce.com/47vs46
http://www.drupalecommerce.com/compared
I'm not sure what you mean
I'm not sure what you mean by the "last" term. From the Taxonomy Access help:
right
is it possible to look at your site? it would make this discussion easier.
Drupal ecommerce, at http://www.drupalecommerce.com
http://www.drupalecommerce.com/troubleshooting
http://www.drupalecommerce.com/modulesexplained
http://www.drupalecommerce.com/47vs46
http://www.drupalecommerce.com/howto
It's not for public
It's not for public consumption right now, but I sent you a message with the URL. I'm not sure how much it will help though.
I'm tinkering with Organic Groups to see if I can get it to do everything I need in the meantime. I'd rather not have to use more than one access control module, but I'm not sure if OG can do the roles and permissions I need.
I need roles and access control to be "stackable", ie. the user doesn't have to be removed from earlier groups, and as they are added to new roles, they gain more access.
Slightly OT
And it's probably still early days, but have you seen...
Node Access Arbitrator:
http://drupal.org/node/55594
??
I haven't tried it myself yet, but you might be able to help test/polish it etc
--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ
Example Knowledge Base built using Drupal
Checking it out
Yeah I was just taking a look at that. Looks intriguing. I've got it installed but I'm not entirely sure what it *does* yet... will tinker around tomorrow and post if I find anything noteworthy.
I'm quite new to
I'm quite new to Drupal...
The way I understand it, you start out with someone with no access granted by TA.
You grant access to role 1 and ignore (not deny) the rest.
You grant access to more to role 2 and ignore (not deny) the rest.
Use deny only to explicitely deny - so you may have a role 3 for users who post too many one-liners and will lose access to a debateing forum even if they are paid memners (your role 3). For them you will deny access to that forum.
That sounds right. The
That sounds right. The problem is that I have multiple levels of access, with different ways to gain access to those roles, and I don't want those scripts to have to deal with removing the user from other groups (which deny access) as well. The whole thing would be solved if the order could be reversed.
I looked at Simple Access module, which seems to apply permissions in the way I want, but it does not control access to forums, plus the TA module is more powerful and configurable.
Turns out that my problem
Turns out that my problem doesn't actually exist! The new Drupal book saved the day! After reading its section on TAC, it turns out I was misinterpreting the use of IGNORE. Details here.