Drupal Node Access Explained
Drupal's API contains a pretty good description of how node access works (developers should also analyze the node_access function itself). There are many contributed node access control modules for Drupal and you really should understand the basics of node access before installing and configuring one. The API should suffice for developers but for the benefit of our many community members who build sites without reading code, here is a translation and some basic rules of thumb:
- In general, you don't want to use more than one node access module on your site. There are many node access modules to choose from: taxonomy access, nodeaccess, simple access, workflow access, etc. We all tend to add lots of modules to our sites and to expect them to play well together, but node access is an area where we need to be extra thoughtful.
- Users with permission to 'administer nodes' are never restricted by node access modules. Users who do not have permission to 'access content' will never gain access from a node access module. Only users who have 'access content' and not 'administer nodes' are eligible for the wild world of node access module control.
- If a user's role has permission to create or edit a content type, or to edit their own posts in that content type, that ability will always be allowed regardless of your node access module's configuration. Delete access is included in the 'edit' permission. If you want to control creating, editing, or deleting of your nodes with a node access module, be sure to not give your users these permissions in the permissions table.
- If your content type comes from an additional module (forum, event, etc.) other than cck, it may have its own permissions to set. Giving a role these permissions will also supersede the use of any node access module.
- Node access modules always GRANT access and never restrict it. (It is a whitelisting rather a blacklisting system.) If you use two node access modules and one grants access while another does not, access is granted. This may be backwards from what some people would assume and is the reason why it is tricky to get involved with multiple node access modules. It is possible to use multiple node access modules in harmony however if for example they are applied to different content types or are giving out different grant types.
- The four types of possible grants on a node are: view, update, create, and delete. You can use Devel module's devel_node_access to analyze a node's node access grants. (Doing so as a non-developer is a good sign that you've gotten into trouble with your node access modules and may need to follow the above advice!)
- The node access table in the database can become confused if you have, for example, toyed with multiple node access modules or come into contact with a deranged one. If you have been involved with risky node access behaviors you should rebuild your permissions. You can find this option at admin/content/node-settings which is the 'Post Settings' configuration screen. It is rarely necessary.
multiple modules for same work
"We all tend to add lots of modules to our sites and to expect them to play well together, but node access is an area where we need to be extra thoughtful."
This is what I was doing for node access, and was wondering why it is not working.
Thank you,
http://www.zaklinks.com/
Trying to decide of a node access that's right for me
I am looking to create a node access method to answer these specific needs:
1. My node represents a Business which is created by some super user.
2. This super user can now edit all of the Business fields.
3. This super user can now dynamically grant node specific access to the business staff members.
4. Business staff can only edit part of the node fields.
5. I would like to use existing (and reliable) modules if possible.
as simple as it may sound I'm still not sure which methid is the right one for me.
I am new to drupal so I might be unaware of drupal best practices.
that's why I want your help and knowledge.
These are some of the ways I've come up with altough each has it's drawbacks:
* The fields in a business will actually be nodes that reference the main node. use "Node access node reference" module for access control.
* The fields in a business will actually be nodes referenced to by a main node. I still don't know of a good module to handle grants.
* Spliting the Business node to 2 nodes "Business review" and "Business details", only "Business details" will be available for staff members to edit.
(But how do I combine the 2 though?)
(I tried using both "node access" and "content permission" to allow staff edit access only to the right fields
- But I have found that total permissions are not INTERSECTED but rather UNIONED, so staff members get too much access)
I would like to hear anything you think is relevant of your own experience. Thanks.
please see the drupal post I wrote that has more details
http://drupal.org/node/666614
Good article
As one of the authors of a node access module. this is a very handy review. You should ask add it to the Handbook.
And, for further fun getting NA modules to play nice, see http://drupal.org/node/196922
Nice patch
Interesting stuff. I'd love to see anything that would make my long explanation unnecessary.
Did add to handbook, thanks.
Workflow Access?
What is the Workflow Access module you mention in the second paragraph? I know of the Workflow Owner module but that assigns ownership of a workflow state, not a node.
Thanks for the post.
Workflow submodule
Workflow Access is just a submodule included in the workflow module.
Post new comment