Download & Extend
Taxonomy Access Control » Issues

How give term-based Taxonomy Access Control VIEW DENY over type-based Content Access VIEW ALLOW

Posted by webel on January 26, 2010 at 1:56am
Project:Taxonomy Access Control
Version:6.x-1.0
Component:Integration with other modules
Category:support request
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

Example:

I have a custom type Document (for handling extensive metadata on an attachments). By default, anonymous users should have access (most fields of) the Document node, as declared by View any content for 'anonymous user under the Access Control tab for the custom type Document, which is equivalent to an explicit VIEW ALLOW.

I have a Vocabulary Copyright with tags (Drupal "terms") for various degrees of access for different roles. When a node is tagged by 'restricted' it should not be visible to 'anonymous' users, expressed by a VIEW DENY for role anonymous on that term.

However, when I enable Content Access for node type Document it overrides (ALLOWS) the Taxonomy Access Control setting; I need to prioritise TAC over Content Access.

I have installed Module Grants after inspecting its docs carefully, however it does not seem to offer the ability to prioritise a DENY from one module over an ALLOW from another, it only offers options for interpreting no statement on grant access:

Configure behaviour when multiple content access modules are enabled

Interpret absence of access grants as a "don't care", rather than a "deny access".

Only applies when two or more content access modules are enabled and one of the modules makes no statement about a node that is about to be accessed. If this box is checked, then a content access module saying nothing (via the node_access table) about the node in question will be deemed to be ok with the user having access to it. If not checked (i.e. "strict"), then a module saying nothing will be taken as a "deny access".

Very glad for advice, and if there is no know way of prioritising TAC, I
will push this over to Module Grants as a feature or support request.

Login or register to post comments

Comments

#1

Posted by jphelan on January 30, 2010 at 10:05pm

Same problem, any ideas?

#2

Posted by jphelan on January 30, 2010 at 10:20pm

I think I just figured it out. I set "Give content node grants priority:" option on the content type I also had the taxonomy associated with to -1 and now it seems to be functioning correctly.

#3

Posted by xjm on February 19, 2010 at 3:36pm

My solution for this has been to configure my node-based access control modules to be as restrictive as possible and then use TAC to add access where needed, even if it's setting the global default to "Allow" and then denying for specific terms. The solution in #2 should work so long as Content Access should always override TAC, but in my case I need TAC's grants to have precedence.

#4

Posted by xjm on February 27, 2010 at 9:13pm

Marked #139444: Let "deny" override other access modules as duplicate of this issue.

#5

Posted by xjm on February 28, 2010 at 12:35am
Component:Miscellaneous» Integration with other modules

#6

Posted by velpan on January 21, 2011 at 12:53am

Maybe is a new feature of 6.x-1.2 version I use but to solve this issue you can set the Advanced option

"Give content node grants priority" to -1 and everything works fine.

#7

Posted by davemaxg on June 9, 2011 at 12:01am

@velpan, where is this "Give content node grants priority" advanced option? I can't find it.

#8

Posted by xjm on June 9, 2011 at 4:04pm

#7: To clarify, that is a module grants feature, not a TAC feature. So it would be somewhere in the module grants config. Documentation for that module is at:
http://drupal.org/node/408816

#9

Posted by xjm on September 9, 2011 at 1:46am
Status:active» closed (fixed)

Closing since this isn't really a TAC issue.