Disabling the /node view of all nodes -AND- programming somewhat random text field content???
Alright, so here's the situation from which my question stems:
I am building a website for a client, and they want to have a content type of "project", which is a piece of content relating to a project they are currently undertaking. The internals of that content are not important, however given the sensitive nature of their industry (prototyping), they want the pieces of content to have SOME variety of security, and not visible to anyone.
FIRST QUESTION: I need to be able to disable the overall node view. You know, the one in which all pieces of content are just haphazardly rendered for anyone to see. I never use that crapola anyways, so I'd love to learn how to disable it!
SECOND QUESTION: the client wants customers to be able to view their projects without having to have a login. He's of the strict belief that there are just too many god damn logins floating around out there, and I just can't blame him. So what he wants is something similar to a FED EX tracking #, in which when the project is created, a random id is generated which can be email to the client. The client then enters that ID, and it will allow them to view the project status.
The best i can figure to do this is create a randomly generated string of text such as "A7723232PR99", and then bounce that against all the other node's in this content type to ensure it hasn't occurred before (rare, but a possibility). This would in no way distinguish who the client is, and given it's truly random nature wouldn't be easily guessed. Combine Re-captcha with the submission form to look up your ID, and going in through the front door isn't such a viable option anymore.
...so oh great drupalists, how the heck would I go about doing this? Am I looking at something complex and quite custom, or has some one done something even remotely similar to this in the past?
Ical feed
Why use a node?
This may get into the node-itis debate common among Drupalers, but if you don't want the content to be visible via a node view, I'd probably just stick in in the database elsewhere, and display it via a menu callback. The email to the client would have a path that includes your long random string as an argument that the module would use to pull up the right project info.
This means you would also need a form to collect the data and store it, rather than letting the node creation form do it, so it depends on how hard that would be. If there really are many, many fields, using a node might save you a lot of time creating the input form.
Maybe there is somebody out there who knows tons of contributed modules that can be coerced into doing what you want. But if you know menu callbacks and the Form API, the above is not that hard to do. Oh yeah, and sending emails with the mail hook, which can be confusing if you haven't used it.
Content Access Module
Have you looked at the Content Access module (http://drupal.org/project/content_access)? Here's an idea:
First, disable general node access except for special roles (say, admin) which can view everything. That's my answer to the first question.
For clients, create an account for them and author their project content under their name. Using the Content Access module, give the author read access to the content. Then create a menu handler for a path that includes a random number you generate. Tack on the client's user ID somewhere in there and you won't have to check for dup's. Then when someone accesses the site using the special path, you validate the random number and identify the user account. Log them in and re-direct them to their content.
The redirect should prevent anyone from getting the random number in the referer string. If you want security, the magic path needs to be accessed using SSL (use the Secure Pages module to enforce that). The random number essentially functions as a username/password, so you need to prevent it from getting exposed.
What do you think?
Tony Freixas
tony@tigerheron.com
http://www.tigerheron.com
I am not familiar with that
I am not familiar with that module. I'll defintiely check into that.
Is there a simple .htaccess solution to redirect site.com/node to a location of my determination? The /node location won't be used in my sitemap, but a clever user may know what to type to find it. Honestly I don't think I've ever used the basic node rendering display which vomits up all of your node content at once...
The problem I forsee with what you wrote is that the client does not want their customers to have to login. No user name, password, nothing. He just wants to email them a random ID# (generated with content), which will allow them to view the project node.
How I envisoned this, is creating a CCK text field prepopulated with a random alphanumeric string. The user then fills out a form which passes the entered argument to the view, and then the view uses that to display the full node. The view will return nothing if the argument is incorrect. Imperfect, surely, but better than nothing. To really finese the process I would need to bounce the randomly created string against all other created strings to ensure it wasn't already taken. While rare, it could happen and that one time would raise hell.
Then again, I've yet to investigate too far into what would be involved in that process. I'm still busy building out the rest of their content, and have a lot of hours put aside for that portion of the project.
Jesse Nicola -- My Portfolio
If the Content Access node
If the Content Access node works correctly, you should not be able to see any content at site.com/node that you are not authorized to see. I've actually not had a need for this module, so I can't tell you if it does the job properly.
Second, I didn't say that the client needs a user name or a password or has to login. You give them a URL containing the random value. You write a menu item that looks for paths matching this pattern, finds the matching user and logs them in automatically. So, to the user, it looks just like what your boss wants; to Drupal, it looks like someone logged in and you can use the whole ACL system to your advantage.
About the only strange thing is that the client will see a Logout menu item (unless you hide it).
Again, if you include the user ID somewhere in the random string, you won't have to check for duplicates.
How do you log them in automatically? I'm not sure, but I know Ubercart has an option for doing this if an anonymous user goes through checkout, so it can be done.
I don't think this should be a big job. You have to create an account for each client. You have to assign them as the author for their project. You have to set up permissions properly. You have to write the handler for the magic path (find the user associated with the magic number, log them in and redirect them to the proper page). You have to store the magic number somewhere (how about in their profile?).
Tony Freixas
tony@tigerheron.com
http://www.tigerheron.com
A view or panel should be
A view or panel should be able to take over the "/node" path with whatever you like. Also if you do not promote any nodes to front page, /node would be blank.
benjamin, agaric
~ ben melançon