According to the README.txt: Permissions by Term module additionally disallows users to select taxonomy terms, for which they don't have access, on the node edit form. This seems to not be working.

My node contains one field_secured_areas field, labeled "Visibility", which references a vocabulary called "Secured Areas". This vocabulary contains two terms:

  • "Visible to members only", with allowed role Authenticated user.
  • "Visible to staff only", with allowed roles Staff and Administrator.

When an Authenticated User (who is neither Staff nor Administrator) creates content, the form shows three options for the Visibility field:

  • N/A
  • Visible to members only
  • Visible to staff only

The user is able to select "Visible to staff only", and thereby create content that he does not have permission to view.

I am a Drupal beginner, and I apologize if I'm misunderstanding something. Let me know if you need additional information.

FYI, I have also installed view_unpublished 8.x-1.x-dev, but I don't think that should be affecting what I see here.

Comments

billstatler created an issue. See original summary.

Peter Majmesku’s picture

Thanks for your detailed description. I'm currently working on automated tests to cover regressions. I will definitely write a test for your case and fix it.

  • fe5c630 committed on 8.x-1.x
    At debugging #2756809.
    
BORANBURCIN’s picture

I have same problem at Drupal 7

maxilein’s picture

Hi Stefan,

super Module! I have long waited for something like this. This is essential to a CMS and should be a standard Drupal mechanism in my opinion!!
Especially this feature which combines transparent access rights with easy configuration!!!

I am waiting on this, too.

Use Case: Consider this scenario:

Inside of a Company the taxonomy represents the organizational hierarchy in departments.
Company
|_ Dep1
|_ Dep2

Some users are members of only one department.
Would it be possible to create a mechanism which - during content creation - checks if a user is member of only one term and then autopopulate the secured_areas field with ths one term reference?

I cannot thank you enough for this module!
R,
Max

PS: Forgot to mention: excellent dokumentation also - much better than most modules!

jonnyhocks’s picture

I am also experiencing this issue. We have a front facing node creation/edit form and non 'administrator' users are able to see and select a taxonomy term which has had an 'administrator' role tagged to it.

Peter Majmesku’s picture

Guys, thank you for your feedback, compliments and so on. Very motivating - your appreciation is a very important element for community built software.

I will dig again into debugging this issue this week. I had no time recently.

  • fe5c630 committed on 2756809
    At debugging #2756809.
    

  • 92b0f7a committed on 2756809
    #2756809 - Users cannot use restricted terms anymore. They are also not...

  • 92b0f7a committed on 8.x-1.x
    #2756809 - Users cannot use restricted terms anymore. They are also not...
Peter Majmesku’s picture

Status: Active » Needs review

Users cannot use restricted terms anymore. They are also not appearing by the auto-complete list. Furthermore there is not needed to define 1 field (field_secured_areas) for the access restriction anymore. Every taxonomy term can have access restriction. Beside this I have fixed a few coding standard violations.

Please test the latest dev-version and give me feedback if everything works.

Peter Majmesku’s picture

@maxilein: Your feature request is too much specific to a single use case. Please build it on top of the module. I will not ship this feature with the Permissions by Term module.

Peter Majmesku’s picture

Status: Needs review » Closed (fixed)

Closing this issue, since it is fixed.