Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Having field-level permissions is important to replace functionality provided by the profile.module using the Fields API (see #394720: Migrate profile module data to field API).
One of the problems with field permissions is that they quickly become unmanageable when more than a few fields exist. Being able to optionally expose individual fields to the permission system would be a good alternative.
Comments
Comment #1
moshe weitzman CreditAttribution: moshe weitzman commentedI'm willing to do a straight port of CCK's content permissions module. Do folks think thats sufficient? flobruit's suggestion to selectively enable access control for a field is reasonable but then we hit a problem - there is no UI in core for fields.
Comment #2
yched CreditAttribution: yched commentedAlso, a UI for "selectively enable access control for a field" would possibly mean that the field_perms.module needs to add a new field setting, 'access_enable' to all field types, and a corresponding checkbox on the UI. Field API curently doesn't allow that.
This is in fact another D7 use case for the CCK D6 #417122: Allow drupal_alter() on Field and Widget Settings...
Comment #3
yched CreditAttribution: yched commented#502522: Allow drupal_alter() on the various Field API declarative hooks should allow "selectively enable access control for a field".
A patch for CCK HEAD will follow for the 'field settings forms" part.
Moshe, if you're willing to port content_permissions, it would be a cool opportunity to check we're doing this right :-)
Comment #4
tstoecklerI think the current, potentially overwhelming state of the permissions page should not lead to special-casing certain fields as being "permissionable". There are sites that have 20+ content types, each with their own "create", "edit", "edit own", "read", and "delete" permissions, so it is already an issue that is not necessarily connected to field API. I would find it strongly inconsistent to handle permissions differently between content types and fields.
Comment #5
rickvug CreditAttribution: rickvug commented@tstoeckler You bring up a good point about content type permissions making the permissions page overwhelming. What if permission were broken up into 3 tabs to control the chaos? The three tabs would be Module Permissions, Content Type Permissions and Field Permissions. I could see major contrib modules (Views & OG perhaps) also following the tabs pattern, making permission settings easier to find through consolidation.
Comment #6
tstoeckler#5 is something for a different issue.
... which should definitely be opened by someone! The current permissions UI can be quite horrific in certain scenarios.
I just looked at the D6 content permissions module. It provides "edit" and "view" permissions. I think that's fine for a first patch, but I do think we should sync those permissions with content type permissions in a second step.
Comment #7
rickvug CreditAttribution: rickvug commented@tstoeckler I completely agree that tabs for the permission screen is another issue that shouldn't be intertwined here. I'll look to file soon.
Comment #8
EvanDonovan CreditAttribution: EvanDonovan commentedIs anyone still working on this for core? If not, is this something that the Field API could support in contrib? It is absolutely critical for my site, and I believe, for a lot of sites that use CCK.
If this goes into core, I would suggest that it is improved by making the content permissions "opt-in" so they don't apply to every field by default. The best way, imo, to do this would be if every time a field is created there would a screen that would ask whether to activate content permissions on the field. (That is, if content permissions were globally active.)
Comment #9
floretan CreditAttribution: floretan commentedNow that we opted on a different mechanism to choose what fields could get displayed on the registration form, I don't think that field permissions need to be in core. There's of course no reason that this can't be part of the CCK in contrib.
Comment #10
webchickAgreed. Moving to 8.x for possible inclusion there, but contrib is fine for 7.x.
Comment #11
webchickComment #12
bjaspan CreditAttribution: bjaspan commentedWhy is this not a wontfix? Most sites do not need field permissions; why should it be in core?
Comment #13
EvanDonovan CreditAttribution: EvanDonovan commented@bjaspan: It doesn't have to be in core necessarily. For my site, it would be fine if it were in contrib. There just has to be the possibility of doing it. As long as Field API has the potential to support it, that's cool.
Field Permissions was part of the package when CCK was in contrib, so I thought it might be moved into core though, since the rest of CCK was.
Comment #14
markus_petrux CreditAttribution: markus_petrux commentedOne thing that is missing in field_access() is something I added recently to CCK for D6. We have the $node as a new argument that is also passed to hook_field_access(). This allows other modules check permissions based not only on user roles, but also in context. The counterpart for D7 would be $obj_type and $object (or $entity) I guess. For this I have opened a separate task: #597832: Add $obj_type, $object arguments to field_access() to enhance the context for hook_field_access().
Once this is done, I was planning to upgrade the Content Permissions module in D6 with 'view own', 'edit own' (something that needs to know the uid in the $node), and also use hook_field_settings_alter() to add a radios element to the field settings form that allows sites to selectively enable field permissions per field. That way you do not need to care about fields that can perfectly inherit permissions from the node they are.
The main code of this Content Permissions module I would like to push for D6 follows. I guess it could be used too for D7. We need a hook_update_N() to enable field permissions for all fields for those that have this module already enabled. They could then disable permissions per field where they need to. This upgrade is necessary for compatibility with current implementation of Content Permissions module.
Comment #15
markus_petrux CreditAttribution: markus_petrux commentedIn case people is so busy with other things now, one question: this feature in contrib for D7 means in CCK? ...I'm asking this because if yes, I could do this now in CCK for D6. Otherwise, I would use a separate project.
Comment #16
moshe weitzman CreditAttribution: moshe weitzman commentedI think it will be clearer if we abandon the cck project for d7 and use separate projects. I propose a separate field permissions project for this ... your plan about settings_alter sounds great to me.
Comment #17
markus_petrux CreditAttribution: markus_petrux commentedOk, here's the project page:
http://drupal.org/project/field_permissions
I'll commit code asap. And I'll also provide a version for D7 as well, as soon as the other issue about field_access() contexts is in: #597832: Add $obj_type, $object arguments to field_access() to enhance the context for hook_field_access().
Comment #18
EvanDonovan CreditAttribution: EvanDonovan commentedThanks for working on this! Sounds good...
Comment #19
markus_petrux CreditAttribution: markus_petrux commentedI have already started the port to D7: #598924: Port of Field Permissions to D7.
Comment #20
markus_petrux CreditAttribution: markus_petrux commentedI need advice to properly implement Field Permissions for D7. Here, I need to extend attributes for all fields with the permissions option (permissions disabled? enable view/edit permissions?, etc.). However, I'm not sure which is the best practice in D7 to do it. Do I need to implement hook_field_info_alter() + hook_form_alter() ? Is there any module out there that extends field attributes I can look at as an example? Knowing which hooks I need to implement would be enough to go, though.
Comment #21
yched CreditAttribution: yched commentedhook_field_info_alter() + hook_form_alter() sounds like the way to go.
Comment #22
markus_petrux CreditAttribution: markus_petrux commented@yched: Thanks! :)
I think I already got a working version of Field Permissions for D7. It should be available from next nightly snapshot (or checking out from CVS). Those interested on this feature, please monitor this issue: #598924: Port of Field Permissions to D7.
Only node related fields seem to work in core, though. I'll revisit core in the future to see if the port can be finished with similar features as in the D6 version.
Comment #23
RobLoachHitting the fake subscribe button.
Comment #24
klonos...me too ;)
Comment #25
geerlingguy CreditAttribution: geerlingguy commentedSubscribe.
Comment #26
michaelfavia CreditAttribution: michaelfavia commentedSubscribe as well.
Comment #27
grota CreditAttribution: grota commentedSubscribe.
Comment #28
swentel CreditAttribution: swentel commentedThere's another issue re: field permission that's older, see #366416: Field Permissions UI