I've just installed the content access module, and I really like it !
However, I find a little unintuitive (and insecure) the way per-node access control is handled.
I would expect node authors to be offered access control forms on the node creation page. However, it seems the expected work-flow is to:
- create a node (with full access control as per the content-type-specific settings), and only then;
- change access control parameters.
Thus, there is some time between 1) (node creation) and 2) (node editing) where access control is granted to everybody.
Copied from #2839772: There is no way to edit permissions when creating a node:
I configured Content Access to allow per node settings for a given content type. 90% of nodes of this type should be visible to everybody, so I set the default permissions accordingly (view: anonymous + authenticated users). But there are these 10% of nodes which should in no way be visible to anonymous users and authenticated users who are not in some given role. So when creating one of these private nodes, I expect to have a way to restrict view permissions at the same time as the creation of this node, else there will be some time (a few minutes or tens of seconds) during which the node will be visible to everybody before the node author had time to restrict access.
My proposal would be to have a UI similar to what the Page Access module does: https://www.drupal.org/project/page_access.
Comment | File | Size | Author |
---|---|---|---|
#5 | content_access.module.patch | 4.64 KB | dvinegla |
Comments
Comment #1
Muslim guy CreditAttribution: Muslim guy commentedI was also thinking aboout nodeaccess.module
A user has to submit it first, then edit it and click `grant' tab
Comment #2
Muslim guy CreditAttribution: Muslim guy commentedSorry the original title was changed
Comment #3
fagohm, I don't use the module this way, but yes this might be not ideal for newly created nodes. Feel free to provide a patch, that improves that. :)
Comment #4
chrisroditis CreditAttribution: chrisroditis commentedHas anyone managed to add this functionality?
Comment #5
dvinegla CreditAttribution: dvinegla commentedthis is a patch.
Notes:
-Only works with ACL 5.x-1.x-dev
-workflow-ng is not tested.
Comment #6
dvinegla CreditAttribution: dvinegla commentedComment #7
dvinegla CreditAttribution: dvinegla commentedComment #8
design.er CreditAttribution: design.er commentedhas anybody tested this patch yet?
Unfortunately I'm using D6 so I'm unable to test it at the moment.
It would be an absolutely usability improvement if this feature could go into the content access core - even if only as an option.
Comment #9
cyoong87 CreditAttribution: cyoong87 commentedThe patch works. It also works with the latest stable ACL module. I haven't tested the workflow-ng.
Does anyone know how to hide, disable, or filter the roles?
I've tried modifying the hook_form_alter so I can use '#disabled' for the checkboxes. It seems to me it uses checkboxes so I guess there is no attribute to disabling an option. If I try to disable a checkbox for a 'View', 'Edit', or 'Delete' column under Role Access Control, it disables all the checkboxes.
Comment #10
TimAlsop CreditAttribution: TimAlsop commentedDoes this patch work with Drupal 6, with ACL 6.x-1.2 and Content Access 6.x-1.2 installed ?
I have another access control module installed for domain access control, and this shows options when I create new content, but the node access control is not shown and I have to edit the node after it has been created. As somebody mentioned earlier, this is not the best security because it means for a short moment the node is available to all users.
Comment #11
soulston CreditAttribution: soulston commentedI am working on this same problem at the moment.
The work around is to set the node to unpublished, set permissions and then set node to published - you can obviously set the general settings for the content type to be unpublished removing 1 of the above steps but it's not ideal.
I had a look at rules to see if you could redirect to the node/[node:nid]/access page so you were effectively setting the permissions straight away but this didn't work - maybe as the nid hadn't been created on form submit? any other ideas?
There is a module called:
http://drupal.org/project/subform_element
which seems to let you place a form within a form - that might be another work around.
Ideally it needs something like this in a hook_form_alter (taken from webform module):
Comment #12
Cyberwolf CreditAttribution: Cyberwolf commentedSubscribing.
Comment #13
mansspams CreditAttribution: mansspams commentedchanging to attract attention to version 6 and active because its not 2008 any more. To code because additional code is needed. To bug report, because it's a bug, not a feature, and priority to major, because if this is not major, then what is. Feel free to change back, but this looks like right issue settings.
Node form should have fieldset with roles checkboxes that may view node and that should be set WHILE node is created. Ill try to port patch to d6.
Comment #14
fagoComment #15
mattiasj CreditAttribution: mattiasj commentedsubscribe
Comment #16
good_man CreditAttribution: good_man commentedTagging for next Usability round.
Comment #17
gregglesI'm not sure this really makes sense. It would be overwhelming to include this information on the node/add page, IMO. If it is added definitely it should be optional.
That said, this is a feature request so priority should be "normal" since there are obviously many people happily using the module without this feature.
Comment #18
Renee S CreditAttribution: Renee S commentedI work with a really paranoid user-base. The fact that the node is published, even if for a few seconds before they set the access control, freaks some people out. (Just, you know, providing a use-case :)
Comment #19
vulfox CreditAttribution: vulfox commentedAs a workaraound
Any pointers how can I add some of the checkboxes to the node form custom template? (node add form / node edit form)
For example for administrators to create members only content only the "view content" checkbox for authenticated users is needed
For example to get the standard "Promoted on first page" checkbox:
But how to get the "view content" checkbox for authenticated users (or any other)?
Comment #20
gisleAll feature requests go into the most recent branch.
Comment #21
gisleI am not going to implement this feature request (unless someone sponsors development), but a rerolled, working patch will be appreciated and applied.
Comment #22
gisleNobody has stepped forward. Time to close. Feel free to reopen if you still think this is an issue.