Controlling Access to Pages

Submitted by Hans Salvisberg on Fri, 2006-12-29 12:57

Blog Topics:

Visibility:

If you need a way to control who can see your content, then you should tackle this early on. Generally, in Drupal 4.7, modules cannot deny access to certain nodes, but they must hide all nodes and then grant access selectively. If you already have content, installing such a module will make all of your content vanish!

I'm trying to find my way here, reporting as I go...

Forum Access

Node Access Arbitrator (na_arbitrator) comes with the forum_access module, which allows fine-grained control of who can do what in each forum. This seems to be the best forum access control module, and its technology is part of the upcoming Drupal 5.0 core.

Unfortunately, many access control modules are incompatible with each other, but if you want to control access to forums, this one is a must. It also includes the workflow_access module.

Taxonomy-Based Access Control

Taxonomy Access Control Lite (tac_lite) is an elegant solution if you only need to control who can see a given node. Do watch the screencast to get a good overview of what it can do. Since it's a pain to gather the information from the screencast, I'm listing the essential points here. The author suggests to create a hierarchical, multi-select vocabulary as follows:

Privacy
  by role
    manager
    player
  by team
    Braves
    Orioles
    Yankees

Then he creates "manager" and "player" roles and gives them access to their respective terms, and he gives team access to the user who are members of those teams.

OTOH, each node gets one or more terms from the "Privacy" vocabulary to give specific view access rights, or "<none>" to make it viewable by everyone, including anonymous users. The terms are visible, and I like the fact that nothing shows on the generally visible pages.

The Devel module includes the devel_node_access module, which helps understanding how access to any given node is granted. Check /devel/node_access/summary for a quick overview; if there is a section "Legacy Nodes" with a non-zero number, click on that number to get a list of nodes that may be erroneously hidden. (You need to have the views module enabled to see the list.)

In its original state the node_access table has only one record:

  nid   gid   realm   grant_view   grant_update   grant_delete
  0 	0     all     1            0              0

which grants view access for all nodes to everyone. This record remains after installing tac_lite, but for all but the administrator the site reverts to the "Welcome to your new Drupal website!" page. You can either open and resubmit every node (the "Legacy Nodes" list mentioned above comes in handy), or use the following SQL statement on your node_access table:

INSERT INTO node_access (nid, gid, realm, grant_view, grant_update, grant_delete)
SELECT nid, 0, 'tac_lite', 1, 0, 0 FROM node;

(Be sure to make a backup before performing SQL surgery on your database tables!)

nid is the node id, gid = 0 means the record applies to everyone, i.e. the node is visible for everyone.

I started out by installing tac_lite and then na_arbitrator (see above). Unfortunately, it turns out, that the two really are incompatible. Installing the latter removed all records of the former, and even if you recreate the tac_lite records, all content remains visible, i.e. tac_lite cannot keep na_arbitrator from granting access to all content...