I've been able to successfully get OG and TAC to cooperate with respect to access control. You've probably seen the discussion here: http://groups.drupal.org/node/3700

I really like the functionality you've put into this content_access, and have been thinking of how to get it to work as well.

I've been looking through the code and can't seem to see what I need, which is:

A way to return whether, according to content_access, a particular user has permission to execute a particular operation on a particular node. Something like a hook_access ($op, $node) (http://api.drupal.org/api/5/function/hook_access) that will return simply true or false.

I looked at content_access_node_access_records, but so far the following code doesn't seem to return anything at all: 

$node = node_load(arg(1));
$grants = content_access_node_access_records($node);
print_r($grants);

What I do in my current nodeapi code is query OG and TAC and see what they return. If they both return true or null, then we're good. If one returns false, then the user can't access the content. Pretty simple. If I can figure out a query for CA (content_access), I'd happily add it to the mix.

Here is an example of the check I run for OG. I'm not suggesting I do this exactly for content_access, but something that will give me similar results.
<?
/**
* Called by og_user_roles_nodeapi('access')
* To check og access permissions
*/
function og_user_roles_og_access_check($op, $node = NULL) {
global $user;
$uid = $user->uid;
if ($op != 'create' && $node->nid && $node->status) {
if (isset($user) && is_array($user->og_groups)) {
$gids = array_keys($user->og_groups);
}
else {
$gids[] = 0;
}

if (isset($user) && is_array($user->roles)) {
$rids = array_keys($user->roles);
}
else {
$rids[] = 1;
}

// if this node has groups or is a group, then use group sql, else use non-group sql
$groups = $node->og_groups;
if ($groups || $node->type == 'group') {
$sql = "
SELECT COUNT(*) FROM {node_access} na
LEFT OUTER JOIN {og_uid} ogu on ogu.nid = na.nid
LEFT OUTER JOIN {og} ogm on ogm.nid = na.nid
WHERE (na.nid = 0 OR na.nid = %d)
AND ((na.realm = 'og_public' and na.gid = 0)
OR (na.realm = 'og_subscriber' AND na.gid in ('%s'))
OR (ogm.nid > 0 and (na.nid in ('%s')) or ogm.directory = 1)
OR (na.realm = 'term_access' AND na.nid in ('%s')))
AND (na.grant_$op >= 1 OR (ogu.is_admin = 1 AND ogu.uid = %d))
";
$group_ids = implode(',', $gids);
$result = db_query($sql, $node->nid, $group_ids, $group_ids, $group_ids, $uid);
}
else {
$sql = "
SELECT COUNT(*) FROM {node_access} na
WHERE (na.nid = 0 OR na.nid = %d)
AND (na.realm = 'term_access' AND na.gid in ('%s'))
AND na.grant_$op >= 1
";
$result = db_query($sql, $node->nid, implode(',', $rids));
}

$output = (db_result($result));

if ($output == 0) {
return FALSE;
}
if ($output > 0) {
return TRUE;
}
}
}
?>
If you can give me some hint as to how I could get similar results from your module, I'd appreciate it.

Thanks for any assistance you can provide.

Comments

somebodysysop’s picture

somebodysysop commented

Found a way to do it. I created a check for content_access as well as ACL permissions.

ACL check is posted as update to this issue: http://drupal.org/node/161639

content_access permissions check:

/**
 * This module assumes that you have content_access and acl modules installed
 *
 * Called by og_user_roles_nodeapi('access')
 * To check content_access permissions
 */
function og_user_roles_content_access_check($op, $node = NULL) {
  global $user;
  $uid = $user->uid;
  if (module_exists('content_access')) {
    if ($op != 'create' && $node->nid && $node->status) {
      $grants = array();
      foreach (content_access_node_grants($user, $op) as $realm => $gids) {
        foreach ($gids as $gid) {
          $grants[] = "(gid = $gid AND realm = '$realm')";
        }
      }
      $grants_sql = '';
      if (count($grants)) {
        $grants_sql = 'AND ('. implode(' OR ', $grants) .')';
      }
      $sql = "SELECT COUNT(*) FROM {node_access} WHERE (nid = 0 OR nid = %d) $grants_sql AND grant_$op >= 1";

      $result = db_query($sql, $node->nid);

      $output = (db_result($result));

      if ($output > 0) {
        return TRUE;
      }
      if ($output == 0) {
	    // If no results from content_access, try acl
        $output = og_user_roles_content_access_acl_check($op, $node);
		return $output;
      }
    }
  } else {
    return null;
  }
}

So far, works fine!

The only caveat is that it doesn't exactly work with TAC in my environment because if a user has permissions for a node as a result of a vocabulary term (using TAC permissions matrix), I don't seem to be able to NOT allow the user access if TAC allows it. However, using TAC, if I create a "NONE" category that effectively gives no one access to the content, I can then grant permissions to roles/users for access to it via content_access without worry about conflict in access controls.

The code I posted in the issue above helps to make this possible by informing me that the user has

Cool!

If you see anything that doesn't seem right, please let me know. I'm new at this!

socialnicheguru’s picture

socialnicheguru commented

will this work on D6?

somebodysysop’s picture

somebodysysop commented

The functionality is still supported, but the mechanism is different. The above code utilized the Extensible Node Access/Authorisation Capability patch: http://drupal.org/node/122173.

The current functionality in 6.x utilizes the Multiple Node Access logic patch: http://drupal.org/node/196922.

good_man’s picture

good_man commented
Status: Active » Closed (won't fix)

Closing it as 5.x is not supported anymore.

Related #1209296: Compatibility with OG