Access Control

This group should probably have more organizers. See documentation on this recommendation.

Several months ago, I was tasked with creating some way to assign roles to users in groups. I installed the og roles module. What I discovered was that this module simply assigned a role to a user, not to a user in a particular group. I realized what I needed was a way to assign a role to a user in a way so that the user would only have this role in this particular group, not sitewide and certainly not in all groups. To do this, I needed to understand Drupal permissions and Access Control worked. My progress on this particular task is here:

Fast forward a few months later, when I was trying to use OG and Taxonomy Access Control (TAC). To my horror, I discovered that if a node was posted to a group, a user who was not in the group could access the node if he had access to the Taxonomy term. And, vice versa, if a user was in a group that the node belonged to, but DID NOT have access to the Taxonomy term, he could still access the node. This, in my opinion, was two Access Control systems tolerating each other, not working together. My progress on ths particular task is noted here:

So, I set about, merrily hacking my way through, until I had resolved both issues. Unfortunately, hacking Drupal core code is not a very good long term solution. And, when I applied for a project for my og user roles module, Drupal Admin told me as much.

What I needed was an environment where I could discuss my ideas with like minded folk who wanted to achieve the same goal: Get Drupal Access Control to open up so that various ACS (access control systems) from various modules could work together instead of at cross purposes as they do now.

That's why I created this discussion group. My first task is to work on getting og user roles approved as a project. For that, I need to figure out how to get it working without hacking the user_access function in the user.module.

That's the plan.

moshe weitzman's picture

Action items from Node Access BoF in Szeged

We had a terrific session and subsequent meeting at Drupalcon. We discussed a number of wishes for node access and here are the action items that resulted.

* Migrate all operations to hook_nodeapi('access') and deprecate hook_access(): KEN.
* Add a drupal_alter() after hook_node_access_records(): MOSHE
* Add a drupal_alter() after hook_node_grants(): UNASSIGNED. POSTPONED UNTIL DB_REWRITE_SQL IS GONE
* Administer nodes perm => 'bypass node access' KEN
* Node perms move to a new node_perms module which implements nodeapi('access') LARRY GARFIELD

Other items that need doing


Read more
Anisorf's picture

Control node access combined with field access

I'm straggling with a conflict for controlling permission access on node base and on field base.

Read more
PlayfulWolf's picture

Node delete/edit for anonymous, how-to?

I have a real world example:
There is a classified ads site where registered and anonymous users are allowed to post ads. Principle is that user experience of the site is designed to be "quick ad posting" - it is the main reason they are allowed for anonymous. There is also thought an option for anonymous to delete their ads as the item is already sold.
How I think this workflow can look like:

Read more
vood002's picture

Drupal 6 access control question for basic user groups (not using OG module)

I'm hoping for some strategy input if anyone can be of assistance:

I have a client who is running Drupal 6 and requesting functionality that looks like a good candidate for OG, but honestly OG seems like overkill for the request...I was hoping to get some input on the best way to handle it.

Essentially they want to be able to create downloads, groups and users. They'll create downloads that are available to groups of users. Create a download, tag the groups that can download it. Create a user, tag the groups that user belongs to, done: the user is able to download that file.

Read more
xjm's picture

Munich BoF: The Future of Node/Entity Access

2012-08-21 17:00 - 18:00 Europe/Berlin
Event type: 

We have a lot of decisions to make about how Node Access (and potentially Entity Access) moves forward in Drupal 8.

If you can about security, access control, and/or entities, come help us design the solution for Drupal 8.

NOTE: This is the ONLY time that co-maintainers xjm and agentrickard can schedule a BoF. Also, be sure to check the schedule the day of the BoF; we are trying to switch into a larger room.

Read more
Anandyrh's picture

Online Book Management

Several times I tried searching for modules related to Book access control specific to users, but unfortunately I could not find any so far.

I am trying to build a online book management website where I will have hundreds of books.

Initially users will have access to first page of the book with 'Table of content'.

Once users requests a book to read by filling up a form, Site admin will grant access to user for that particular book to read.

Someone please explain me about the best modules that can be used to do this.

Thanks in advance,

Read more
tedbow's picture

Controlling access to nodes by simple user relationships

I looking for solution or ideas about how to solve this problem in Drupal 7.

I am going to have a site where users will be working in pairs. One user(Poster) will be posting nodes and another user(Viewer) should have View access to posters nodes. Nobody else outside of these 2 users should be able View the the Posters nodes.

I have thought using the User Relationship module, but it seems overly complicated for what I am trying and would present other problems for my purposes.

Read more
carsato's picture

Access a node into a group without being group member and having a special role.

Hello everybody

I'm using OpenAtrium, I think it's 1.0, but not sure.

I need a user with special profile to access a node into a group without being group member. Is that possible?

In short my code gives groups and "my_content_type" a grant called "my_realm" with gid 1.
hook_node_grants() gives each user with "my_special_role" a grant called "my_realm" with gid 1.

As far as I know that should give access user to node, isn't it?

I added this code, but it's not working:


* hook_node_grants()

Read more
muruga.sp's picture

Payment user registration

Hi Friends ,

I want one functionality for my new website . New user registration with payment options. Register page have some options like 6 month Subscriptions and 1 Year & 2 Year Subscriptions options. After one year automatically expiry on particular user or Renew options for that users. I used ubercart but i dont know how to configure properly, Please help me anyone!.


Read more
popendos72's picture

Limited Access to referenced nodes

I already spend hours searching but seemed not being able to find anything for Drupal 6. There is a new module for Drupal 7 that deals with comments but nothing (that I could find) for 6.

I already have 2 content types. “Story” is main content type, “page” is a second content type that is created in response and is referenced to “story”. I am using node reference module and views attach module. I need all “page” content be visible only to the author of “story” and a creator of “page”.

Read more
IrishGringo's picture

Suggestions for D6 and D7

I just wanted to get some confirmations on how the smart guys would do it.

This is the mission: This is the theoretical scenario:
A contract, consulting company that has compiled a collection of past projects with details, they they would like to present to potential clients. But they don't want to the Competition to see these "PROJECTS", and they especially don't want to allow the prospects to share the "projects" with the competition.

Read more

Drupal 8 Node Access Hitlist

It's that time again... With Drupal 7 released, we can start looking at fixes and features for Drupal 8.

I'm hoping to explain each of the items below in the next week or two, and open issues as appropriate. If you already know of issues that apply, please add the link.

This list is in general order or priority, with easiest items going in first, and hard tasks deferred to later.

Improve node access query performance

Type: Bug
Priority: High
Entered by: agentrickard
Owned by:
Issue #:

Read more
tmuras's picture

Taxonomy based access for Drupal 7

Hello Everyone,

I'm working on a new module for D7 that will extend access permissions based on taxonomy. The idea is based on an excellent Taxonomy Access Control. My goal is to create an API module - similar to ACL that will have all the features of Taxonomy Access Control and also Taxonomy Access Control Lite. Then (again just like in ACL) a different front-end modules could be created.

Read more
btopro's picture

Strange OG duplicated node permission error

I hope someone has run into something like this before... I'm using a group who's form duplicates nodes and automatically associates them to the new group. So you create a group, select a book in the system and it will grab the book, duplicate it and set the og node settings to the new group. Then it performs a node_save after removing the nid so it's a "new node" with the old content / hierarchy.

Read more
allandk's picture

webair CDN and access control


I am considering all my media content to webair CDN

Will I be able to maintain access control to media for members/non-members with and is there anyone out there that can set this up for me ?

Regards Allan

Read more
allandk's picture

Private file transfer is killing me

Like the title says - looking for performance expert to come up with a solution

regards Allan

Read more
oxford-dev's picture

How to share filesystem across multisite/subdomains

My situation is:

I have a website, i want to mirror this site completely except for the theme so that in apache i can direct mobile devices to where they can use exactly the same site but with a mobile optimised theme.

I know there are numerous mobile modules out there but they suffer from caching limitations, ie, when a page is accessed from a computer, that same cached page is sent to any subsequent requests, including mobiles.

I know there are also domain/subdomain modules out there also but they are overweight for what i need.

Read more
johnbarclay's picture

iMIS Authorization

I'm working on a project that will use CAS as the authentication, but iMIS for authorization. I just wrote the ldap_authorization module for the ldap project. An imis authorization module would be very similar in architecture:

  1. have a site admin define a set of rules for mapping a drupal user to an imis/ldap user and then an imis/ldap user to drupal roles, og groups ids, etc. In LDAP the rules are based on the ldap user entry attributes. In iMIS the mapping rules might include any number of imis attributes such as the GetParticipations webservice.

  2. When a user authenticates,

Read more
jspapas's picture

Logging in with Shibboleth doesn't fire the "User Login" Event?

In my installation the users login with Shibboleth [1], but the rule [2] I've set up to be executed on "User has logged in" event, isn't executed.

On the other hand, when I login as administrator through the normal Drupal way, the rule is executed.

Does this mean that the external login event isn't handled at all?

Is there a way to overcome this?


Read more
jspapas's picture

Dynamic forum permissions

My users access Drupal through SSO and everytime the server authorizes them, it returns a set of permissions, according to which I need to dynamically set the User's forum permissions.

So for example if a User logs in and the SSO says that he has enrolled in a course, I need to give him specific permissions for that course's forum.

Obviously I need a custom module for that, but it's a little hard to start.

I'm thinking of using the ACL module's API, but I can find any documentation or tutorial online. Is there any?

Is there a better way to get around this?

Read more
Subscribe with RSS Syndicate content