Several months ago, I was tasked with creating some way to assign roles to users in groups. I installed the og roles module. What I discovered was that this module simply assigned a role to a user, not to a user in a particular group. I realized what I needed was a way to assign a role to a user in a way so that the user would only have this role in this particular group, not sitewide and certainly not in all groups. To do this, I needed to understand Drupal permissions and Access Control worked. My progress on this particular task is here: http://drupal.org/node/87679
Fast forward a few months later, when I was trying to use OG and Taxonomy Access Control (TAC). To my horror, I discovered that if a node was posted to a group, a user who was not in the group could access the node if he had access to the Taxonomy term. And, vice versa, if a user was in a group that the node belonged to, but DID NOT have access to the Taxonomy term, he could still access the node. This, in my opinion, was two Access Control systems tolerating each other, not working together. My progress on ths particular task is noted here: http://drupal.org/node/122712
So, I set about, merrily hacking my way through, until I had resolved both issues. Unfortunately, hacking Drupal core code is not a very good long term solution. And, when I applied for a project for my og user roles module, Drupal Admin told me as much.
What I needed was an environment where I could discuss my ideas with like minded folk who wanted to achieve the same goal: Get Drupal Access Control to open up so that various ACS (access control systems) from various modules could work together instead of at cross purposes as they do now.
That's why I created this discussion group. My first task is to work on getting og user roles approved as a project. For that, I need to figure out how to get it working without hacking the user_access function in the user.module.
That's the plan.
Question about content access module
I just downloaded the content access module and installed it, it was late and I was pretty sure that it was working, but this morning when I tried to check the module and start playing with it, and I can't find it any longer, the module is still there and enabled, I was pretty sure that I saw it in Administer > Content management > content type where there was a tab, but today I couldn't see it any longer, I've been through the whole menu and couldn't see it and couldn't find detailed documentation.
Read more
ACL or Rules-Based Security for Drupal?
Joomla has announced availability of new ACL: http://is.gd/iA5B and they seem pretty excited about it. Is that something for Drupal community to be jealous of?
If you come from a Java/J2EE background the clear answer is: NO (yes, in capital letters). You have to actually suffer from a structured, strict ACL to really appreciate the simplicity of a security system like that of Drupal.
Now, you may argue that Drupal security is slightly over-simplistic and too code-oriented (makes us, the developers happy) for "business" use.
Read moreLDAP Integration Help Module and Documentation Update. Looking for non Active Directory LDAP users
I've been working on an LDAP help module to help admins configuring ldap integration ( http://drupal.org/project/ldap_integration ).
I use Microsoft Active Directory for LDAP. I wanted to get some people who were using other ldaps together to:
1) test andgive me feedback so I can finish the help modules
2) work with me to update the documentation for ldap_integration: http://drupal.org/node/62217
Its functionality is based on what support requests from the ldap integration issue que:
- to make support and bug reports better by getting a more complete set of information
Node Access by Menu Position -- Does this exist, or should we build it (and can it be built)?
A client of ours -- a university -- has quite an extensive hierarchical menu structure. They want the ability to take a top-level menu item, such as "Current Students" and control which roles can manage (create/edit/delete, based on their role's permissions under admin/user/permissions) and view the content under that section. Permissions should cascade down to sub-items in the tree unless explicitly overridden. They also need to then restrict access to adding new pages underneath menu items they do not have access to.
Here's a mock-up that describes what we're after, since it's easier than me explaining. :) Also, I should point out that this is for Drupal 6.
Read more
Using OG for a e-learning & access control setup
Hello access control group,
I have been tapped with setting up an e-learing site with the following characteristics:
- Super administrator must manage (setup, delete) intructors.
- Instructors must administer (invite, accept, delete) all students to their class/group. Ideally, there is a way for the instructor to customize the registration/login page for their students.
- Once a student has access, they all have access to the same exact content (a set of lessons).
Question on OG user roles functionality
Hi, I sent this question to Drupal forums but dint get a response. I think this group is more apprpriate for it. Based on what I read here, seems like thr OG User roles is designed to do what I'm trying to accomplish, but couldn;t get it to behave as expected. I'm pretty new to this so just might need some clarifications on how to get this working.
Basically, I want to setup certain users with permissions to submit blogs only for specific groups (not system wide).
So here's what I did.
As admin:
Read moreFirst implementation of og_access with ACL
Hi,
I'm a little bit frustrated by the User access implementation proposed for OG, it's too much complicated and i don't think that TAC/CA/ACL/OG combination with many many many hacks is the right way (but it's a very very good work too).
So, i really need for my project, this simple things:
1) Organic Group
2) User can post in Public or in their suscribed groups
3) AND they must have the possibility to grant other users that can be outside of his group
Language Based Access Control
Hello,
I'm building a multi-lingual site, where I would like different translation groups/roles to be able to work on their language (and only their language) to translate source content. In some cases translating in response to content being posted, and at other times originating the content.
Read moreMultiple Node Access Logic Patch
Last updated by somebodysysop on Fri, 2008-05-09 17:54
It appears that agentrickard has created the solution to the problem for which the Access Control Group was originally created: The Multiple Node Access Logic Patch: http://drupal.org/node/196922
I have used this patch to successfully get TAC and OG working together. I'm including it in the next release of OG User Roles (5.x-3.0): http://groups.drupal.org/node/3700
As great as I think this patch is, it probably won't make it into Drupal core, for a variety of reasons.
Read more
module-based multiple node_access?
I had a notion the other day of a module to bypass node_access. It seems if you had a module with a very heavy weight and hook_node_access_records, it could fire after all the other hook_node_access_records calls. Then it could:
- Copy all the other modules' node_access records into a table of its own with the same structure as node_access.
- Set all the other modules' node_access records to DENY for everything.
Case study: running a small college site with drupal
Hi folks,
I'm following up on promises I made during the Birds of a Feather sessions at Drupalcon Boston to post a case study of how we're using Drupal at Amherst College. We've developed a module to facilitate hierarchical content creation and permission control that's also of potential interest to folks outside of the academic community.
Preamble aside - about 3 years ago the college decided to fundamentally change the way it was approaching the web, and a little over 2 years ago we started building on top of Drupal. The project had some broad goals:
Read morePartial forum sharing
Here's my setup: I have a network with different forums and different content but shared users on one codebase on the same database with different prefixes.
What I'm hoping for is a way for all of these sites to share the same 'off-topic' category but different overall forums. What's the best way to achieve this? Thanks.
Read moreTODO list: Eventual Version Control migration for drupal.org
This is a loose checklist of items that need to be taken care of to get Version Control API working on drupal.org. The bulk of the required work has been done, and the current plan is to get the 6.x-1.x branch deployed on drupal.org before the d.o redesign is done.
- Script for migrating from cvs.module to versioncontrol_cvs -- partially done
http://drupal.org/node/346362 -- Print warning message after branch creation to update workspace (port over from cvs.module)-- done
What to do about node_access_rebuild()
So I am researching Taxonomy Access Control (TAC) and Domain Access (DA) integration (though this applies to Organic Groups (OG) and other modules as well). And here's the problem.
node_access_rebuild(), as far as I can tell, is only designed to work with a single access control system.
Read moreTAC as multisite solution -- groups and domains as roles, using roles.
There's a new tutorial at http://drupal.org/node/200631 which is a different approach to Taxonomy Access Control than I have seen, a very different approach to Groups (as a concept), and multiple Domains (hence a multisite solution). I am trying to discern what is going on with og, mulltisite, domain access, and TAC generally.
Read more
Request for comments -- Setting OG group defaults on a group type by group type basis
Currently, within OG, all the group settings are set sitewide for all types of group nodes. We are looking to implement group type by group type default permissions to allow for different types of groups within the same site --
We will be working out a solution to this issue and releasing the code back as a contrib module -- however, before we start coding we want to get some feedback/see if anyone else was thinking along similar lines.
The issue is here: http://drupal.org/node/192933 -- please centralize any discussion on the issue queue.
Cheers,
Bill
Read moreLeast permissions and node_access
OK, so I'm working on integrating Domain Access with OG.
Problem is, the current node_access system uses OR based permissions. What I really need is the option to set AND based permissions. For example:
-- Current node_access rules
return TRUE IF (og == TRUE) OR (Domain Access == TRUE);-- Desired rules
return TRUE IF (og == TRUE) AND (Domain Access == TRUE);See http://drupal.org/node/191375 for a full discussion and some possible options.
Read moreDomain Access uninstall and update questions
OK, beta6 is out and the release is looking pretty good.
But I introduced the Domain Prefix module -- it creates a UI for dynamic table prefixing. So, for example, each of your subdomains can have a different watchdog table. The $db_prefix array is dynamically set on bootstrap.
Two big issues -- notwithstanding the lack of pgSQL support, which I'll get to shortly.
- I have not found a way to run a function any time hook_uninstall() is run.
Attempts to add a #submit handler using hook_form_alter() failed. As a resut
Domain Access
For a project, we just came up with another way to skin the multisite problem.
Domain Access is a node access module that enables multiple sites to be run from one installation.
The beta has been released.
See the module in action at http://skirt.com/map
Read moreHelp needed understanding Access Control in OG
Hello,
I'm here because it seems like the only place I am likely to find some help with Access Control, having scoured the internet for help elsewhere...
