Posted by flickerfly on August 7, 2008 at 3:41pm
I'm working on a D6 site that could be considered an Intranet style site for members of our ministry. It is accessible from anywhere on the Internet, but should have very little content available without logging in.
How do I best lock down the site so that people have to log in before getting information without showing an "Access Denied" page at the first page where they log in? I envision a future where blogs with some public facing content could occur so I don't want to lock out that option in solving this problem.
Comments
several options
There are several modules that limit access to nodes by user role, taxonomy terms, node types, etc.
I know one that I've heard mentioned is Taxonomy Access Control. Another that I have used is Content Access. I also think that Organic Groups has some sort of privacy features with it.
-Mike Goodwin
Red Leaf Media
http://www.redleafmedia.com
I'm aware that their are
I'm aware that their are several potential solutions, but that's not really my question. One of the great deficits of Drupal is the overhead involved in trying to figure out which of these solutions actually fits my scenario. You may sense some frustration on my part. I've spent a significant amount of time evaluating the options, and still don't feel like I've found one that handles my scenario well even though it seems somewhat trivial. I just don't want the "Access Denied" message to show up on the first page if content access is restricted.
Content Access would be my preferred solution, but it seems to be too buggy on D6 at this point. I'm watching development of it. I'm not looking to implement organic groups.
TAC is overly complicated for my expectation and would require that content creators remember the security ramifications of their taxonomy decisions or at least remember to set something.
Maybe this should really be filed as a bug/feature request to core.
Hmm... I note that
Hmm... I note that nodeaccess module has released a D6 version. Perhaps I'm further behind on that than I though.
edit: in this comment I confused nodeaccess with content_access, giving me much grief. Now I see nodeaccess can do everything I wanted content_access to do, but better. :-)
Nice catch, I've had good
Nice catch, I've had good success with nodeaccess in the past, but hadn't seen nodeaccess for 6 yet either. Thanks for pointing that out.
Ja, "Access Denied" is not cool
This week I discovered module "forum_access" and when anonymous access to Forums disabled, it coldly states "Access Denied".
We would like to customize that "Access Denied" page to state something more pleasant such as member benefits.
Michael Lueck
Customerror module
http://drupal.org/project/customerror
See a nice tutorial at http://www.kinetasystems.com/blog/creating-custom-error-pages-in-drupal
One suggestion received
I just received a suggestion to give http://drupal.org/project/logintoboggan a try. From the description, seems indeed to do what we are looking for.
Michael Lueck
Not the solution
Maybe we are chasing down a different error. Anonymously accessing private forums does not return specifically "Access Denied". So I opened a support request against the module: http://drupal.org/node/292469
Michael Lueck
OG
I lean towards using OG and forcing all posts on the Intranet site to be associated with at least one group. This way, you can block or permit public access to content by checking the "Public access" box on individual posts.
Erik Britt-Webb
drupal@ebrittwebb.com
NodeAccess
You can set up default permissions per content type, so blogs are available to anonymous users, but "documents" or whatever your content type for private content type, is set to be available to members of a certain role only.
http://drupal.org/project/nodeaccess
Ooohhh... I'd cancelled node
Ooohhh... I'd cancelled node access out because it was for individual nodes, but now that I see I can assimilate the functions of content access by hiding the controls and setting defaults I have suddenly found what might be my new favorite module!
Thanks mikey_p, I just spent the last hours playing with this and discovering exactly what I wanted!
This also gives me the opportunity to provide more fine-grained access on blogs later so it is good for the expected future! WaHoooo!
A couple of solutions
Regarding the original question about fixing the "Access denied" error - or worse, "Welcome to your new Drupal site" when users can't access any nodes - the cleanest solution might be a custom page-front.tpl.php that doesn't attempt to display any real content. In this case, most of the front page content would probably be built with blocks.
I have done similar things with both the Front Page module and with Panels. I'll do it with page-front.tpl.php next time.
As for friendlier Access Denied pages, try changing the default 403 page in admin/settings/error-reporting to something you'll allow your users to view. In a pinch, change it to user/login so they'll be prompted to log in on error.
As for securing the content, I've done it with Taxonomy Access as listed above, and with Organic Groups. I suspect that OG will be the best solution. Your mindset sounds similar to where mine was when I started a site with OG. It was originally intended to be a portal, but is starting to become a community website instead. Access to certain content is still restricted by group membership while other nodes are visible to the anonymous user. I believe defaults can be set per content type on the current version of OG.
Micah
I can create a custom
I can create a custom front-page template without running into the Access Denied issue?... That sounds like a very attractive solution. Thanks Micah!
I intentionally want to foster an open and non-segmented environment with the community I hope to build inside this site. I've been avoiding Organic Groups because it seems the point of OG is segmentation. I don't want that once the person is actually in. I only have the potential of about 150 users for the beginning year plus of this project so I fear segmenting the community would kill it right away by dividing their attention from each other.
A crude example
Here's a crude example of a page-front template that removes the content for anonymous users. I'm sure there are better examples, but I did this one while playing around with the concept one day. It removes content, primary links and secondary links for the anonymous user.
--- page.tpl.php 2006-12-05 10:12:04.000000000 -0500
+++ page-front.tpl.php 2008-06-03 22:29:02.000000000 -0400
@@ -34,13 +33,13 @@
<?php endif;?>
</div>
-<?php if (count($primary_links)) : ?>
+<?php if ($user->uid && count($primary_links)) : ?>
<div id="top-nav" class="clear-block">
<?php print theme('links', $primary_links, array('id' => 'primary')) ?>
</div>
<?php endif; ?>
-<?php if (count($secondary_links)) : ?>
+<?php if ($user->uid && count($secondary_links)) : ?>
<div id="top-nav2" class="clear-block">
<?php print theme('links', $secondary_links, array('id' => 'secondary')) ?>
</div>
@@ -72,8 +71,20 @@
<?php print $tabs ?>
<?php print $help ?>
<?php print $messages ?>
+<?php if ($user->uid): ?>
<?php print $content ?>
+<?php else: ?>
+
+<p>This is page-front.tpl.php with the $content not shown if $user->uid is
+zero. I think this would be a cool place to allow blocks or insert some
+views in a similar way that panels would work. This front page template
+should probably be cleaned up to remove code that would be used on non-front
+pages.</p>
+<p>This doesn't provide 100% security, because users can still drill down to
+anything that is visible to uid 0.</p>
+
+<?php endif; ?>
<?php if ($sidebar_right): ?>
Note that I totally went the cheap route and hard-coded HTML in this page. It was just proof of concept. Also, this isn't to Drupal coding standards, but neither was the contributed theme I was hacking.
Micah
But why?
Why not just deny access to a private page to anonymous users?
http://firstbaptistchurchsh.com
Pastor David
http://thebridgechristianlifecenter.com
Pastor David
Two questions....
What is a private page? How are you going to define this?
How are you going to deny access to just private pages for anonymous users?
This requires a solution like mentioned above, or Nodeaccess module.
Apples and Oranges, Maybe?
The reason for the custom front page example I posted isn't really directly related to the issue of how and why to restrict access to content. I'm not even sure it addresses the "Access Denied" messages in question.
The example I posted is a potential solution for the problem where no content is promoted to the front page, or when a user (including anonymous) cannot access any of the promoted nodes. When there's no content to display, Drupal reverts back to the "Welcome to your new site" message. That goes away if you don't try to display content.
Granted, there are a million other reasons to do a custom front page, too. Not everybody wants the "river of news" look on their home page.
Sorry if my example was unclear in its intent.
Micah
of course
Of course, you'll still want to make sure that you don't allow anonymous users the 'access content' option in Access Control, or User Permissions, depending on your version of Drupal.
Try TAC-lite
I implemented a church site in V5 where they wanted to restrict a lot of content to only logged in users. We used TAC-lite and taxonomy terms to restrict content. TAC-lite is easy to implement if it meets your requirements, and it sounds like it would. Many pages are restricted to authorized users only, and the taxonomy approach does this easily. We also restrict some pages to users with a particular role, which is what TAC-lite does.
We used a custom "access denied" page to convey the message we wanted for anonymous users (or, often, users who had not remembered to login yet). If you create pages that contain the message that you want to replace access denied, and then go to admin/settings/error-reporting, you can substitute those custom pages. No other module is required.
Because they wanted tight security for certain pages and file uploads, we also implemented the private file system, and use the optional core Upload module to upload all files. This only allows access to pages and files for users who pass TAC-LITE security.
An administrator maintains the site content, and after I documented the approach and trained her, she has had no problem adding content and restricting it appropriately.
I checked and the modules are also available in V6.