Hi,

I'm using the Subusers module to allow "Parent" role users to create "Child" users(authenticated users role). I want to be able to let the parent users moderate(update/delete/publish/unpublish) child user posts(nodes). Of course, when posts are published everyone should be able to view the posts inc. anon users.

When a child user creates a post, I add the the parent to the acl /w full privs.
*SIDE NOTE* I also have to add the child to the acl or nodes don't show up in views. (probably due to my misuse of the module)

function mymodule_entity_insert($entity, $type) {
  if (in_array($entity->type, array('post'))) {
    $account = user_load($entity->uid);
    $parents = subuser_load_all($account, FALSE);
    $parent_id = array_shift($parents);
    
    if ($parent_id) {
      // Create a new ACL.
      $acl_id = acl_create_acl('mymodule', 'mod_'. $entity->nid);
      
      // Provide access control to a node based upon an ACL id.
      acl_node_add_acl($entity->nid, $acl_id, 1, 1, 1, 0);
      // Add parent and child to an ACL.(@see views bug)
      acl_add_user($acl_id, $parent_id);
      acl_add_user($acl_id, $entity->uid);
      // Node access grants for rebuilding.
      node_access_needs_rebuild(TRUE);
    }  
  }
}

This seems to work well in terms of moderating content. however, when posts are published by the parent. The anon and other site users still can't view the content. They do have "View Published Content" perms.

How can I keep these ACLs but, allow anon/authenticated users to view published content?

Thanks,

Comments

psychobyte’s picture

Issue summary: View changes
salvis’s picture

Status: Active » Fixed

Please install the Devel Node Access module as explained when you created this issue. It'll show you what your state is.

node_access_needs_rebuild() is not what you want. It'll just set a flag that tells the administrator to run a batch rebuild of the entire {node_access} table. You want to call node_access_acquire_grants() instead.

psychobyte’s picture

It looks like views ignores ACL just like hook_node_access.

http://www.phase2technology.com/blog/drupal-7-node-access-grants-locks-a...

I was actually able to move to hook_node_grants() to do what I wanted.

salvis’s picture

It looks like views ignores ACL just like hook_node_access.

This is wrong.

I don't have time to really study the post that you quote, but calling "Drupal [...] a 'deny-based' access control system" is at least misleading.

If you want to seriously discuss (and understand) this then follow the instructions and post screenshots of the two DNA blocks.

Everything else is just guesswork and a waste of time.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.