I wrote up a quick walkthrough of the groupapi module I have been working on. Comments are welcome, this is still under heavy development, but will almost certainly only serve as a potential model for how group and access management will work in future versions of Drupal as some problems arise in implementation.

Specifically, once you use the _access hook to restrict viewing a node pages like the front page and taxonomy pages will fetch n items from the database, but the user might not have access to some of them. Drupal cannot determine this until the item has been returned from the database. Currently the resulting page shows everyhting, but with access restrictions enforced it would show less than the expected number of items. Possibly even a page with no items and a pager with more pages of nothing.

A layer of hackiness or assuming 90% of users won't run into that problem can cover it up effectively. Unfortunately, that is nowhere near a good solution. So there needs to be a Drupal core rewrite to make access privilege checks happen in the query, including rearranging the database a bit.

Comments

irwin’s picture

This is very nice! It gives us something concrete to look at and think about.

I intend to take a detailed look through this and see how the UI works. You mention that the administration of the groups is similar to the roles UI that exists, but I believe that there are actually problems with the existing Permissions UI. :) More in another message (I need to think about it first).

Thank you!

-- Irwin