It should be possible to have a free-tagging vocabulary, but only allow certain roles to create terms. With modules like hierarchical select which allow you to add items to structured vocabularies, it'd be handy to have a permission for this too.
Also, now that we have edit tabs for terms, might as well have a separate 'edit terms in $vocabulary' permission for each vocabulary.
Comment | File | Size | Author |
---|---|---|---|
#42 | taxonomy_permissions.patch | 2.89 KB | catch |
#40 | taxonomy_permissions.patch | 2.89 KB | catch |
#36 | vocabulary_permissions.patch | 8.4 KB | catch |
#29 | taxonomy_permissions.patch | 8.53 KB | catch |
#26 | taxonomy_permissions.patch | 8.83 KB | catch |
Comments
Comment #1
catchThis patch adds create, edit and delete permissions per vocabulary. Freetagging now depends on user permissions rather than the form widget type to determine if new terms will be saved. Menu access is now dependent on edit/administer permissions. Obviously the permission won't make any difference for vocabularies which have a select list on the term creation page - but for example the hierarchical select module allows for creation of new terms in structured vocabularies from node/add - so it would allow for that ability to be based on a centralised core permission.
Some questions which need answering -
1. Do we need an upgrade path to grant permissions for freetagging. I don't see a nice way to do this, except perhaps based on node type permissions where freetagging vocabularies are assigned or something? We need something though.
2. When creating a freetagging vocabulary, it might need to change to 'autocomplete' instead of 'tags' - then add a note to set permissions if you want tagging.
Setting to needs review in the hope of some feedback on those points.
Comment #2
XanoCatch, great job! I'll bookmark this issue and test the patch tomorrow.
Comment #3
catchCouple of things - since term objects don't contain the name of their parent vocabulary, only the vid, I've used that to differentiate the permissions instead of vocabulary->name - otherwise we'd be loading vocabularies on term pages just to check a permission... Since we have permission titles and descriptions now, this only affects the values in the database, and saves a query or two.
New patch removes taxonomy_node_validate() which does some very odd checking, and moves it to a drupal_set_message() in taxonomy_node_save() - invalid terms are now discarded with that message if the user doesn't have permission to create new ones.
Comment #4
XanoAnother reason for doing this is that a vocabulary's name may change over time. If permissions depend on this name things may get very, very nasty.
I took a quick peek at the patch and it looks good so far. I suggest changing the drupal_set_message() so it can be used if a user wants to add multiple terms but isn't allowed to do this as well. This prevents pages from being flooded by messages if a user (accidentally) wants to add(/create) a lot of terms.
Comment #5
catchGood point about the drupal_set_message() - this is now consolidated into one.
Comment #6
catchChanged the vocabulary option to 'Autocomplete' rather than 'Tags', with a help text change to reflect the new permissions requirements for actual tagging. Occurred to me that this should also help to distinguish the option from the default 'Tags' vocabulary. Also added a test to ensure that terms are discarded correctly for users without the appropriate permission.
Attached are screenshots for the vocabulary edit form, the new permissions, and the discarded tag message.
Comment #7
XanoI'd use %vocabulary for permissions' titles and description. Also, we might want to think of a shorter message to tell the user he doesn't have permission to create new terms.
Comment #8
catchMessage is a little tricky since they might have permissions to create terms in one vocabulary but not another, reworded it, not necessarily much shorter, but a little more direct hopefully. Ideas welcome!
Switched to %vocabulary.
Comment #9
XanoI know it's hard to make it shorter, but it's quite long now. I admit I haven't been able to come up with a shorter version as well, but we should try. Everything else looks superb from here!
Comment #10
catchFor reference, the string that should be shorter is:
You do not have sufficient permissions to create new terms in this vocabulary, so the following new terms were not saved:
or:
The following terms were not saved because you do not have permission to create new terms in this vocabulary:
The second is a little shorter. Another option is "The following terms were not saved due to insufficient permissions:" - and moving that message outside the foreach loop, maybe.
Comment #11
XanoWhat about "You have no permission to save the terms %terms"?
Comment #12
keith.smith CreditAttribution: keith.smith commentedI don't have any real issue with the "no permissions" message that's currently in the patch, though it is long. We could possibly tweak this one, however:
Terms are entered by users by typing a comma separated list. Users may create new terms using this method (tagging) if they have permission to do so for this vocabulary.
Automatically match existing terms entered in a comma-separated list. New terms in the list will be created (for users with the appropriate permissions).
The only problem with this is that, AFAIK, the autocomplete is really only going to match the first term entered in the list.
Comment #13
XanoNope, it works for all terms :-)
Comment #14
keith.smith CreditAttribution: keith.smith commentedSo it does. My bad.
Comment #15
catchMarked #307846: Split up taxonomy permissions to allow editing of terms by non-admins... on a per-vocabulary basis (older, but no patch and less discussion) as duplicate.
Changed strings based on Keith and Xano's suggestions - made some slight modifications - i.e. realised that we've never mentioned that these options only affect posting content.
Comment #16
moshe weitzman CreditAttribution: moshe weitzman commentedLooks like a terrific patch to me. I code reviewed but did not test.
Comment #17
catchThat's odd, I changed the string for discarded terms in #15, but not the string in the patch, but the test still passed. Marking to needs work, looks like it needs a more robust test.
Comment #18
XanoWhat about adding a view $vocabulary permission? A user would need this permission to view the /taxonomy/term/[tid] pages.
By the way: personally I would not use variables within strings like
echo "create terms in $vocabulary->vid";
IMO, putting them outside the string is more readable, especially when using syntax highlighting, so I'd change it to
echo 'create terms in ' . $vocabulary->vid;
Comment #19
catchXano, in this case I just copied what node.module does, there seems to be a mixture of both ways in core.
Comment #20
XanoI know, but it still makes more sense to me not to put variables within strings. Actually, this should be in the coding standards... :-P
Comment #21
catchNew patch - better check in the test, additionally concat the permissions rather than using double quotes with inline variables to keep Xano happy.
As for 'view' permissions - the issue with this is you'd still be able to see the terms displayed on nodes - which would leave to a 403 if these were mixed up, so this needs more thought, and probably in another issue.
Comment #22
XanoIIRC usernames are only displayed as links if the user has permission to access user profile. Perhaps we could implement something like that? But indeed, if we're going along that way, this probably requires a separate issue.
Comment #24
catchre-rolled for nodeapi_function signature changes.
Comment #26
catchre-rolled.
Comment #27
drewish CreditAttribution: drewish commentedsubscribing.
Comment #29
catchre-rolled again.
Comment #32
bsherwood CreditAttribution: bsherwood commentedAfter looking at the rejected.png image, I see a usability issue waiting to happen. Since I don't see an image for the actual form prior to submission, I assume that it hasn't changed. Maybe users without the proper permissions, shouldn't see the actual vocabulary select/dropdown on a /node/*/edit form? This way they won't have the chance to enter in any terms where they don't have the permission to do so, I think we can do it two ways:
1) Remove vocab from form if user does not have access to it.
2) Disable the input field, so the user can see it but can't edit it. (can we do this without JavaScript?)
How is the required option going to be handled? Since giving users a "create terms for X vocabulary" permission, I think it is in the best interests to make the required option based on what user is has access to create terms. A simple breakdown of what not to happen would be:
1) node allows authenticated users to edit it
2) node has multiple vocabularies associated with it, with only one vocab that is editable by auth user.
3) user edits it and attempts to save node
4) node fails validation since a required vocab was not filled out since user does not have access to it.
BTW, I love this idea to begin with. I always wanted to create an "admin-only" taxonomy to categorize content without a) messing with hook_form_alter() and b) allowing users to see "internal" vocabularies.
Comment #33
XanoAll roles should be able to select terms from a required vocabulary.
Comment #34
bsherwood CreditAttribution: bsherwood commentedMy point was that if you created a required vocabulary, assigned it to "article" and only allowed UID1 to create/edit terms for it, should the node still validate and save if you allowed authenticated users node edit permissions?
Comment #35
catchbhserwood - I think you're confusing 'create' and 'assign' - the rejected terms message is only for autocomplete term selection, when the user types in terms that don't exist (i.e. new tags), and doesn't have permission to create new terms in that vocabulary. Everything else works exactly the same.
The only situation where this would cause an actual validation error would be when you set an empty autocomplete vocabulary to required - in that case we probably do need a fallback, although that's also a very strange configuration option and might come under "don't do that".
Comment #36
catchre-rolled.
Comment #38
giorgio79 CreditAttribution: giorgio79 commentedHi Catch,
Check this out
http://drupal.org/node/323490#comment-1733196
Just found it, sg similar for Taxonomy Manager (how about that in core? :)) )
Comment #39
sunYes, we badly need this. Tagging.
Anyone up for re-rolling?
Comment #40
catchRe-rolled minus 'create' - we can't do that from the taxonomy admin UI before freeze, and CCK field permissions or a custom field widget could handle it for tagging. So this just does edit and delete now.
Comment #42
catchtypo.
Comment #43
sunLooks good to me, and this functionality is basically already covered by tests.
Comment #44
sunAlso fixing issue title, because "create" is deferred to a point in time where we find a solution for how to handle term autocomplete widgets...
Comment #45
Dries CreditAttribution: Dries commentedAlright, I'll let this one slip in. Committed.
Comment #47
dragon2000 CreditAttribution: dragon2000 commentedapplying this patch to my drupal 6.15 doesn't work and causes errors in permissions page!
what should I do?
Comment #48
XanoYou shouldn't apply this, as this patch was written for Drupal 7, but will be postponed until Drupal 8.
// Sorry for moving this to D8 again! Guess I wasn't fully awake...
Comment #49
sunThis patch went into D7 already.
Comment #50
kndrdragon2000: There is a new module PermMill for Drupal 6.x, which allows you to define fine-grained permissions on a per-page basis. I found this very usefull for splitting taxonomy permisions. Try http://drupal.org/project/permmill
Comment #51
Cyberwolf CreditAttribution: Cyberwolf commentedJust for people stumbling upon this issue and are wondering where the "create" permission is being discussed further: #1034600: Split Taxonomy permissions into 'Vocabulary' and 'Terms'