I have been using the Content Permissions module for about a year on a certain website, and now we are converting our workflow management to take advantage of the Workflow and Workflow Fields modules. Is there anything I need to be aware of when using Workflow Fields in conjunction with Content Permissions?

In other words, how do the permissions get granted? I have a field called field_membership_type, and I grant authenticated users permission to edit this field (with Content Permissions). Now, with Workflow Fields I fine-tune this so that the user can edit this field on creation, but not in any of the other workflow states. In the creation state, will the field be editable or restricted? How about with the subsequent states?

Furthermore, should I just scrap the Content Permissions module, since Workflow Fields offers a more fine-grain approach?

Thanks! (This info might be useful in a documentation page.)

Comments

infojunkie’s picture

The correct behavior is that all permission-related field settings should override Workflow Fields. Workflow Fields will not enable access to a field that is otherwise disabled.

If there are cases that contradict this, please file them as bugs.

joelstein’s picture

So, if Content Permissions grants a field to be editable, then it will be editable, even if Workflow Fields doesn't grant edit in any state? Am I right in assuming that if I have more than one access control module, if any of them grant access to a field, then it is accessible?

If that's correct, then I would need to deny permission with Content Permissions, so that Workflow Fields can manage the grants. Right? (Still trying to wrap my head around issues with multiple access control modules.)

infojunkie’s picture

Actually, I'm not sure how CCK will manage several field access control modules simultaneously. This needs more investigation. But I would expect the opposite: if any module denies access, then the field is denied.

You're welcome to try and update the thread here. I'll gladly provide any help along the way.

joelstein’s picture

I believe it works the way I described. I found this article which gives a good explanation of how access control works in Drupal. To quote from the article:

Node access modules always GRANT access and never restrict it. (It is a whitelisting rather a blacklisting system.) If you use two node access modules and one grants access while another does not, access is granted.

That is consistent with my tests.

infojunkie’s picture

Status: Active » Fixed

Thanks for letting me know :-) I will update the module page with this info.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

rjs.martins’s picture

It all works as expected.