Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.You can't actually make an anonymous/authenticated home page without people being able to view (public) content. :)
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | 20121023-msrmbtidgdrs6usqme3cat67gb.jpeg | 126.59 KB | ezra-g |
| #2 | commons-anon.png | 147.53 KB | webchick |
Comments
Comment #1
webchickAlso, I am probably not going to be able to work on this, because I am not sure where said permission assignments would go. I'm used to doing them in $distro . '_install()'; but that doesn't seem to be the proper place in Commons.
Comment #2
webchickYeah, these permissions are still funny. Here's what the logged out user sees on the home page:
This is un-good, because if I'm truly not meant to see those things I should not see them in the interface. A title of one of those activity stream things might be "Acquia to acquire Microsoft later this month. Keep confidential." (I kid, I kid... but seriously. ;))
All of these things look like they need to be run through X_access(), and since I can't associate pages with a group, it seems like at least those should be public because otherwise I can't view the "how to register" page or whatever.
Comment #3
ezra-g CreditAttribution: ezra-g commentedRe-titled with the action item to fix this.
I see a few ways of handling this:
A) Since Commons defaults to having only public groups, we can not write activity stream messages about unpublished nodes, and unpublish messages when nodes are unpublished.
B) Implement proper node access on activity stream entires. This is the most robust solution but comes at the potential performance cost of additional node access checking.
Comment #4
ezra-g CreditAttribution: ezra-g commentedI created #1813398: Turn on "view published content" permissions for anonymous && authenticated users as a separate issue.
Comment #5
meba CreditAttribution: meba commentedI think B is the right choice since you never know where content bubbles up. Messages are entities so content access on them shouldn't be hard. We could also implement the D7 hook that allows us to check access for anonymous users without an expensive query?
Comment #6
ezra-g CreditAttribution: ezra-g commentedI chatted with amitaibu and he suggested that this might be simple to add to Message views, per the attached screenshot. We should do some testing :).
Comment #7
ezra-g CreditAttribution: ezra-g commentedThis is fixed in several parts:
I rolled this patch to Views to fix a bug in the "Content access" filter:
#1822440: "Content access" filter should check for node_grants implementations before adding node access grant queries
That's added to Commons with;
http://drupalcode.org/project/commons.git/commit/6baf7fb
And the Activity stream views are updated to enforce node access via the "Content access" and "Node: published or admin" filter via:
http://drupalcode.org/project/commons_activity_streams.git/commit/ff2a5d4
Thanks, webchick for pointing this out super duper early!!!
Comment #8
webchickAwesome! :D Happy to break your stuff early anytime! ;)