Controlling user access and user specific pages
I have been looking for a while now for a way to control and restrict access to pages depending on the user that is logged in. However i can't seem to find anything.
Here's what i want to do:
In the system there are two main types of users. Project leaders and administration. Each project leader should will be the leader of one (you guessed it) project and should have access to only that project. Administrators would have access to all projects and have the ability to create new projects. They should also have the ability do anything a project leader can in a project. Besides that they should have the ability to update stuff that the project leaders should not have access to edit but should be able to view. Each project contains a series of sites such as people on that project, a budget for the project, a calender of events related to that project.
My problem is that i can't seem to find a way to restrict each project leaders access to just their own project. Also i would like to know how i would let an administrator create a project and the system would automaticly create the needed pages for a project without the administrator setting up all the pages manually.
If you need a more detailed description, please feel free to ask questions.
Taxonomy Access Control and a custom module
One way to implement the permissions setup you need is to apply Taxonomy terms to content pages and use the Taxonomy Access Control module.
http://drupal.org/project/taxonomy_access
For the idea of automatically creating pages for a project, I can only think of writing a custom module for this. There are also some modules that you could take a look at (I've not used either of these myself, I just came across them while researching your question):
http://drupal.org/project/noderelationships
http://drupal.org/project/nodereferrer_create
Good luck!
taxonomy_access and clarification
Thank you for the swift response
I have looked at taxonomy_access and it seems that for that to work i would have to create an individual user role for each of the project leaders and several taxonomy terms for each project. That seems like abit of a task. Especially since the the site should contain quite a large amount of projects. Is there a way to automate this process. I imagine that there must be an easier way.
Also i'll describe the project in more detail to give a better understanding of what i need.
Basicly the system is for an organisation who gets grants to do a project. In the organisation there is some payed employees who manages the grants and the overall administration like budgets and such. Each project has a project leader who is a volunteer who manages all the communication with the people who sits in the administration and schedules the activities of the project. So basicly there is alot of projects, each led by a project leader, and an administration who oversees all the projects.
This system is supposed to be a way for the project leaders and the administration to communicate and a place for the project leaders to lookup information about the project they are leading that they would otherwise need to contact the administration to get. Also the project leaders should be able to update information about the project.
A few requirements:
All project leaders and volunteers are required to be members of the organisation. Therefore the website should be connected to the member database.
A user account should be associated with a member in the database. A check in the database should reveal the project the user account is leading and therefore should have access to viewing.
A project leader should be able to view which members, according to the database, are volunteering on their project.
A project leader should be able to update information in the database about volunteers and add new ones.
So what i'm asking, which i'm afraid i didn't make clear in my first post, is how to restrict users access to sites depending on information located in a database, (i think)
If it's still not clear what i want please feel free to ask. Also if you have suggsestions to how to do this, i'm very open to them:)
Node associations and real security vs. deterrents
Firstly, there is nothing about what you are describing that can't be done within Drupal. The issue is mainly about understanding how the pieces need to fit together, and whether you can use existing modules to obtain all of your business requirements or if you need to write something custom.
The first thing to consider is the fact that you have various objects (users and content nodes) that somehow need to be related to one another. Based on my reading of your description, you have a core "Project" object (containing data like Title, Grant Date, etc.). This Project then has an X number of one-to-many relationships: to other users (Admins, Leaders, Volunteers, etc.) and to other node objects (perhaps Activities, Events - whatever). Something needs to tie the pieces together, otherwise how would the system know that these things are related?
Taxonomy is one approach - you create a Term "Project A" and then every related Node would have this term selected. This creates a flat association between all of the nodes that share the same term. Taxonomy can be used in other modules, such as Views, to create a listing of related nodes. Alternatively, you could avoid Taxonomy and simply create your own association fields, if you chose.
To create an association to users (Project Leaders and volunteers assigned to the project) you could add selectable fields to the Project content type such that you can identify the related users. Drop-down box fields can be programmed (via PHP input type) to do dynamic data lookups, so rather than type in someone's name you can choose them from a list and the system will store their true, back-end user ID. (This technique assumes that the Admin or Leader is assigning volunteers, rather than letting them assign themselves.)
The limitation thus far is that all you've done is create associations between the various objects. Nothing about this would enforce any kind of security. For example, even if you created a custom display that only showed a user their own projects (based on a query you wrote to re-assemble the associations) nothing would stop the user from changing a URL path to a different node. This is because the Drupal security model was not modified to check for your permission model - this is the nature of my "real security vs. deterrents" part of the subject here.
If you want "real security" you need to create associations AND do something that invokes the Drupal security model. Otherwise, you only have "deterrent" level security - i.e. you appear to limit the user to what they can see and do, but in fact it's just a smokescreen and a user can bypass it quite easily. Whether or not you need real security is totally up to your business rules. FYI though it may seem OK, be aware that users can accidentally create problems and deterrent-level security is usually not a good idea to rely on.
I could be wrong, but I doubt that any combination of Contributed Modules is going to get you 100% of where you need to be. The ideal solution is likely to involve using some modules, but still writing a custom one to get everything you need.
I did find another module for you to look at:
http://drupal.org/project/node_access
node access
Thanks again for the response. I have looked now at the node_access and it offers great flexibility in access control. It also seems to offer the "real security" instead of just the "deterrent" level security. Also i have looked at some more at the TAC module which seems great but a bit confusing too. I will likely look more at this and explore the possibilities. However i have some questions related to how i would do this with node_access.
First of i would like the user accounts to be tied to the member database. That way i would be able to set the permissions according to the information in there. But how do i do this. My idea was to assign every user an ID corresponding to their ID in the member database. A script would run sometimes (e.g. with the cron job) that checks in the database what permissions a user should have and then edits them. Alternativly i could change permissions as i change the database (as this would be done via the site anyway).
So the question is very specific. Namely how do edit permissions for a node without using the interface that node_access offers but rather through php. I figure node_acces must have some functions or similar that i can use.