For my use case I needed specific functionality to allow granting permissions for just a single role. Every other role would be untouched by nodeaccess.

So user with this new specific role can be granted the edit permission to edit certain pages, without allowing them anything else.

I've made quite a few modifications to this module to make it work. Some of the added functionality might be of use for other people. Therefore I'm throwing my patch here. But as a whole it might not (yet) be suitable for inclusion in the module.

I'll put the patch and a changelog in the first comment below.

Remaining tasks

If there's a desire from the wider community of users of nodeaccess to add any or all functionality to the module, remaining tasks -- in no particular order / either of these could happen first:

  • Discuss and decide which pieces to add to module.
  • Break out pieces into child issues.

Comments

paulvandenburg created an issue. See original summary.

paulvandenburg’s picture

Status: Active » Needs review
StatusFileSize
new19.68 KB

The mentioned patch and changelog:

  • Added an extra setting to disable the content type specific grant settings.
  • Hide the content type specific grant settings if that setting is disabled.
  • Various empty checks to prevent notices and have a more consistent behaviour.
  • Removed the odd nodeaccess_disabling() function.
  • Replaced the on disable functionality with a node_access rebuild, resulting in the expected behaviour without breaking nodeaccess on unpublished nodes.
  • Replaced the autocomplete user callback with a custom nodeaccess version, which limits results to users with the required specific role.
  • Refactored the nodeaccess_node_access() to make sure the original permissions aren't altered for users/roles nodeaccess isn't configured for. E.g. granting view permission where there used to be viewing permissions.
  • Rewritten the user search used for both autocomplete and user selecting, using db_select(). With limiting on selected roles.
  • Added default grant when nodeaccess is doing special granting, to give unaffected users the pre-nodeaccess functionality. This fixes sudden access denied for those unaffected users.
  • Various fixes to make the above work.
  • Various other refactoring.

Maybe I'll come back to this someday and split it in nice separated patches, but not today.

Status: Needs review » Needs work

The last submitted patch, 2: nodeaccess-limited_to_role-2979082-2.patch, failed testing. View results

ruudvanoijen’s picture

You've added a check for operation view and status. However this check can be removed and the return can be placed in the switch case
You only want to return something here if it is relevant to that role.

function nodeaccess_node_access($node, $op, $account) {
  if (!isset($account->uid)) {
    global $user;
    $account = $user;
  }

  // Only do something if the user has a role that nodeaccess is doing something for.
  $nodeaccess_enabled_roles = array_keys(array_filter(variable_get('nodeaccess-roles', array())));
  if (empty(array_intersect($nodeaccess_enabled_roles, array_keys($account->roles)))) {
    return NODE_ACCESS_IGNORE;
  }
  switch ($op) {
    case 'update':
    case 'delete':
      // We check if the role has particular access to this node.
      $grants = nodeaccess_get_grants($node);
      foreach ($account->roles as $rid => $role) {
        if (
          (
            isset($grants['rid'][$rid]['grant_update']) &&
            $grants['rid'][$rid]['grant_update'] &&
            $op == 'update'
          ) ||
          (
            isset($grants['rid'][$rid]['grant_delete']) &&
            $grants['rid'][$rid]['grant_delete'] &&
            $op == 'delete'
          )
        ) {
          return NODE_ACCESS_ALLOW;
        }
      }
      break;

    case 'view':
      // If the node is not published. We check other permissions.
      if (!$node->status) {
        // If the current user is the author and not anonymous.
        if ($node->uid == $account->uid && $account->uid > 0) {
          // We check to see if they have access to view own unpublished.
          if (
            user_access('view own unpublished content', $account) ||
            user_access('bypass node access', $account)
          ) {
            return NODE_ACCESS_ALLOW;
          }
        }
        elseif (user_access('bypass node access', $account)) {
          return NODE_ACCESS_ALLOW;
        }

        return NODE_ACCESS_IGNORE;
      }
      else {
        return user_access('access content', $account) ? NODE_ACCESS_ALLOW : NODE_ACCESS_IGNORE;
      }
      break;

  }
  return NODE_ACCESS_IGNORE;
}

paulvandenburg’s picture

Status: Needs work » Needs review
StatusFileSize
new20.34 KB
new1.1 KB

You're right that that access check could be moved to the switch case. However before the switch case there is a quick return for roles which aren't controlled by nodeaccess. As a result those other roles would not receive this access.

But I did discover some other issues. When used in combination with the revisioning module, permission for nodes is not granted when that node is unpublished (e.g. due to a node export/import). The revisioning module did provide an extra access case for this scenario, however it disables that extra case when a module implements hook_node_grants, like this module.

So I've added that extra case to this module as well, when nodeaccess_node_access_records() turns up empty.

Status: Needs review » Needs work

The last submitted patch, 5: nodeaccess-limited_to_role-2979082-5.patch, failed testing. View results

paulvandenburg’s picture

alison’s picture

Note to revisit, possibly for #3033025: Nodeaccess 7.x-1.7 release.

tvoesenek’s picture

Status: Needs work » Needs review
StatusFileSize
new19.04 KB

I've rerolled the patch from #5 against the latest dev.

alison’s picture

Cool ideas, @paulvandenburg, and thanks for the reroll, @TVoesenek!

Do you two feel like you still want this functionality -- and do you want it for D7, or not really anymore -- or definitely still want it? Just checking! (@TVoesenek are you using the patch on a site, or providing rerolling services? Again, just checking :) )

Initial thoughts, skimming through the changelog comment (awesome -- thanks for writing!), haven't skimmed through code or tested the patch yet:

  • (Preface: yeah should probably break this up, but I totally get where you were coming from -- starting by just getting it all out there! And, cool of you to share back what you did for your use case.)
  • Eek that "disabling" function *is* odd! Also, the "disable" function in .install -- I'm not sure, but I feel like maybe this was a "norm" or even a requirement of D6/D7 modules "way back when"...?
  • I wonder how the "Preserve hidden grants" and "Give node grants priority" settings fit in with what you're going for.
  • Your use case -- you're looking to prevent managing users from applying nodeaccess settings to users who *don't* have the specific role, is that the impetus for this functionality? If not, could you clarify the use case/needs?

.............
(Meanwhile, just fyi: I'm going to remove from the "also considering" list for 7.x-1.8, just because it's so much new functionality to consider -- I think if we roll any of it into the module, it'll be in pieces.)

paulvandenburg’s picture

@TVoesenek and I are colleagues and we have this patch running for a few customers. But we are currently in the phase of just maintaining existing functionality. So we still need the patch, but getting it committed is a "nice to have" thing.

I agree the best case scenario would still be splitting it into smaller patches, but with the above in mind I don't think I'll find the time to do so.

For our use case the "preserve hidden grants" and "give node grants priority" are not really relevant. I don't think they really interfere here, but I've not tested it.

To explain our use case:
It is a simplified granting system. Users with role A can grant selected users with role B (or everyone with role B) edit access to specific nodes of certain content types. Role A users are basically the "master editors" who maintain all content. They want to give specific people access to a single or a few pages so they can edit the few pages containing content for their expertise/job. So nodeaccess is only maintaining editting permissions of nodes and only maintaining permissions for users with role B. Only users with role A can edit these grants. Users with role B are generally very limited users who can only edit those specific assigned nodes.

Basically this whole patch revolves around 2 things:

  1. Limiting the granting of permissions to role B.
  2. Making the interface easier for role A, by only showing users with role B and by removing the "by content type" stuff granting, since they only grant access on a per node basis.

And then some clean up due to the legacy of the module.

alison’s picture

Issue summary: View changes
Status: Needs review » Needs work

@paulvandenburg Gotcha, thank you so much for explaining!

I'm doing to say "needs work" b/c if it's going to be committed, it'll be in pieces -- not to oblige y'all to actually do that, just to reflect the status of the issue.

joshahubbers’s picture

StatusFileSize
new19.13 KB
new418 bytes

Fixed a bug in this patch (#3195324: Column 'uid' in where clause is ambiguous).

Column 'uid' in where clause is ambiguous because a condition on uid and not on u.uid is added.

d.fisher’s picture

Status: Needs work » Postponed (maintainer needs more info)

Drupal 7 security support has ended as of 5 January 2025.

We are doing some housekeeping on the nodeaccess issue queue and moving all Drupal 7 issues to "postponed (maintainer needs more info)". See https://www.drupal.org/project/nodeaccess/issues/3516593.

If this issue persists on the latest dev branch of nodeaccess (2.0.x-dev) then please feel free to comment and we will change the version against this issue. If we do not hear any feedback within 2 weeks (9th October 2025) we will go ahead and close this issue as outdated.

Thank you.

d.fisher’s picture

Status: Postponed (maintainer needs more info) » Closed (outdated)

As per the above, as there has been no response we will now close this issue as outdated.

If this issue persists on the latest dev branch of nodeaccess (2.0.x-dev) then please feel free to update the version on this issue and reopen it.

Thank you.

Now that this issue is closed, please review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, please credit people who helped resolve this issue.