I've just installed the content access module, and I really like it !

However, I find a little unintuitive (and insecure) the way per-node access control is handled.

I would expect node authors to be offered access control forms on the node creation page. However, it seems the expected work-flow is to:

  1. create a node (with full access control as per the content-type-specific settings), and only then;
  2. change access control parameters.

Thus, there is some time between 1) (node creation) and 2) (node editing) where access control is granted to everybody.

Copied from #2839772: There is no way to edit permissions when creating a node:

I configured Content Access to allow per node settings for a given content type. 90% of nodes of this type should be visible to everybody, so I set the default permissions accordingly (view: anonymous + authenticated users). But there are these 10% of nodes which should in no way be visible to anonymous users and authenticated users who are not in some given role. So when creating one of these private nodes, I expect to have a way to restrict view permissions at the same time as the creation of this node, else there will be some time (a few minutes or tens of seconds) during which the node will be visible to everybody before the node author had time to restrict access.

My proposal would be to have a UI similar to what the Page Access module does: https://www.drupal.org/project/page_access.

CommentFileSizeAuthor
#5 content_access.module.patch4.64 KBdvinegla
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Muslim guy’s picture

Muslim guy CreditAttribution: Muslim guy commented
Title: no access control setting during node creation » Nodeaccess too

I was also thinking aboout nodeaccess.module

A user has to submit it first, then edit it and click `grant' tab

Muslim guy’s picture

Muslim guy CreditAttribution: Muslim guy commented
Title: Nodeaccess too » no access control setting during node creation

Sorry the original title was changed

fago’s picture

fago
Primary language German
Location Vienna
CreditAttribution: fago commented
Title: no access control setting during node creation » include the access control settings in the node form
Category: bug » feature

hm, I don't use the module this way, but yes this might be not ideal for newly created nodes. Feel free to provide a patch, that improves that. :)

chrisroditis’s picture

chrisroditis CreditAttribution: chrisroditis commented

Has anyone managed to add this functionality?

dvinegla’s picture

dvinegla CreditAttribution: dvinegla commented
FileSize
content_access.module.patch4.64 KB

this is a patch.

Notes:
-Only works with ACL 5.x-1.x-dev
-workflow-ng is not tested.

dvinegla’s picture

dvinegla CreditAttribution: dvinegla commented
Version: 5.x-1.2 » 5.x-1.3
dvinegla’s picture

dvinegla CreditAttribution: dvinegla commented
Status: Active » Needs work
design.er’s picture

design.er CreditAttribution: design.er commented

has anybody tested this patch yet?
Unfortunately I'm using D6 so I'm unable to test it at the moment.
It would be an absolutely usability improvement if this feature could go into the content access core - even if only as an option.

cyoong87’s picture

cyoong87 CreditAttribution: cyoong87 commented
Version: 5.x-1.3 » 5.x-1.5

The patch works. It also works with the latest stable ACL module. I haven't tested the workflow-ng.

Does anyone know how to hide, disable, or filter the roles?

I've tried modifying the hook_form_alter so I can use '#disabled' for the checkboxes. It seems to me it uses checkboxes so I guess there is no attribute to disabling an option. If I try to disable a checkbox for a 'View', 'Edit', or 'Delete' column under Role Access Control, it disables all the checkboxes.

TimAlsop’s picture

TimAlsop CreditAttribution: TimAlsop commented

Does this patch work with Drupal 6, with ACL 6.x-1.2 and Content Access 6.x-1.2 installed ?
I have another access control module installed for domain access control, and this shows options when I create new content, but the node access control is not shown and I have to edit the node after it has been created. As somebody mentioned earlier, this is not the best security because it means for a short moment the node is available to all users.

soulston’s picture

soulston CreditAttribution: soulston commented

I am working on this same problem at the moment.

The work around is to set the node to unpublished, set permissions and then set node to published - you can obviously set the general settings for the content type to be unpublished removing 1 of the above steps but it's not ideal.

I had a look at rules to see if you could redirect to the node/[node:nid]/access page so you were effectively setting the permissions straight away but this didn't work - maybe as the nid hadn't been created on form submit? any other ideas?

There is a module called:

http://drupal.org/project/subform_element

which seems to let you place a form within a form - that might be another work around.

Ideally it needs something like this in a hook_form_alter (taken from webform module):


  /* Start per-role submission control */
  $form['webform']['role_control'] = array(
    '#type' => 'fieldset',
    '#title' => t('Webform access control'),
    '#collapsible' => TRUE,
    '#collapsed' => FALSE,
    '#weight' => -3,
    '#parents' => array('webform'),
    '#description' => t('These permissions affect which roles can submit this webform. It does not prevent access to the webform page. If needing to prevent access to the webform page entirely, use a content access module such as <a href="http://drupal.org/project/taxonomy_access">Taxonomy Access</a> or <a href="http://drupal.org/project/node_privacy_byrole">Node Privacy by Role</a>.'),
    '#access' => variable_get('webform_submission_access_control', 1),
  );
  $user_roles = user_roles();
  $form['webform']['role_control']['roles'] = array(
    '#default_value' => $node->webform['roles'],
    '#options' => $user_roles,
    '#type' => 'checkboxes',
    '#title' => t('Roles that can submit this webform'),
    '#description' => t('Uncheck all roles to prevent new submissions. The %authenticated role applies to any user signed into the site, regardless of other assigned roles.', array('%authenticated' => $user_roles[2])),
  );
  /* End per-role submission control */
Cyberwolf’s picture

Cyberwolf CreditAttribution: Cyberwolf commented

Subscribing.

mansspams’s picture

mansspams CreditAttribution: mansspams commented
Version: 5.x-1.5 » 6.x-1.x-dev
Component: User interface » Code
Category: feature » bug
Priority: Normal » Critical
Status: Needs work » Active

changing to attract attention to version 6 and active because its not 2008 any more. To code because additional code is needed. To bug report, because it's a bug, not a feature, and priority to major, because if this is not major, then what is. Feel free to change back, but this looks like right issue settings.

Node form should have fieldset with roles checkboxes that may view node and that should be set WHILE node is created. Ill try to port patch to d6.

fago’s picture

fago
Primary language German
Location Vienna
CreditAttribution: fago commented
Category: bug » feature
mattiasj’s picture

mattiasj CreditAttribution: mattiasj commented

subscribe

good_man’s picture

good_man CreditAttribution: good_man commented
Version: 6.x-1.x-dev » 7.x-1.x-dev
Status: Active » Needs work
Issue tags: +Usability

Tagging for next Usability round.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented
Priority: Critical » Normal

I'm not sure this really makes sense. It would be overwhelming to include this information on the node/add page, IMO. If it is added definitely it should be optional.

That said, this is a feature request so priority should be "normal" since there are obviously many people happily using the module without this feature.

Renee S’s picture

Renee S CreditAttribution: Renee S commented

I work with a really paranoid user-base. The fact that the node is published, even if for a few seconds before they set the access control, freaks some people out. (Just, you know, providing a use-case :)

vulfox’s picture

vulfox CreditAttribution: vulfox commented
Issue summary: View changes

As a workaraound
Any pointers how can I add some of the checkboxes to the node form custom template? (node add form / node edit form)

For example for administrators to create members only content only the "view content" checkbox for authenticated users is needed

For example to get the standard "Promoted on first page" checkbox:

//node--page--edit.tpl.php
//....
// Checkbox - Display on front page
 print drupal_render($form['options']['promote']);
//..

But how to get the "view content" checkbox for authenticated users (or any other)?

gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
CreditAttribution: gisle at Hannemyr Nye Medier AS commented
Version: 7.x-1.x-dev » 8.x-1.x-dev

All feature requests go into the most recent branch.

gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
CreditAttribution: gisle at Hannemyr Nye Medier AS commented
Issue summary: View changes

I am not going to implement this feature request (unless someone sponsors development), but a rerolled, working patch will be appreciated and applied.

gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
CreditAttribution: gisle at Hannemyr Nye Medier AS commented
Status: Needs work » Closed (outdated)

Nobody has stepped forward. Time to close. Feel free to reopen if you still think this is an issue.