When optimizing grants, Content Access assumes that the Authenticated User role is a superset of all other user-defined roles. However, when using LoginToboggan there may be an 'unvalidated' role which is not a sub-role of Authenticated User.
This can cause issues such as the unvalidated user being unable to view their own content, if grants are given to Authenticated and 'unvalidated' users. Content Access optimizes the grants to only the Authenticated role, which then excludes the unvalidated user when they grant is checked.
The following patch modifies the grant optimization if LoginToboggan is installed, and the 'unvalidated' user role is enabled.
In order to grant view access to all roles, the unvalidated role must be checked in addition to Anonymous and Authenticated. I think that it would be rare in practice to have rules which deny the unvalidated role but grant access to the two others, so this shouldn't make existing grants less optimal. (Typical cases should be Anon-Unval / Auth-Unval / Anon-Auth-Unval)
If the Authenticated role is granted an operation, the 'unvalidated' role is given special treatment similar to the anonymous role, so that it is not removed from the given grants.
Comment | File | Size | Author |
---|---|---|---|
#12 | content_access-915170-12-D6.patch | 1.38 KB | gapple |
#12 | content_access-915170-12-D7.patch | 1.33 KB | gapple |
#9 | content_access-915170-logintoboggan-settings.png | 24.48 KB | gapple |
#9 | content_access-915170-auth-unauth-access.png | 77.54 KB | gapple |
#9 | content_access-915170-auth-unauth-view.png | 72.81 KB | gapple |
Comments
Comment #1
butler360 CreditAttribution: butler360 commentedI just ran into this issue and here I find a fresh patch waiting to be tested!
Patch applied cleanly (although it did say "Stripping trailing CRs from patch"). After rebuilding permissions it fixed the issue! Thanks!
Comment #2
gappleThank you for testing @butler360!
I probably created the patch before properly setting up my IDE to always use UNIX line endings (Eclipse doesn't make it easy).
Comment #3
good_man CreditAttribution: good_man commentedWe need a general solution for that not just for loggintoboggan.
Comment #4
gappleMy only thought for a general solution is a hook to allow modules to return roles that should receive special treatment. I'm not aware of any other modules that would make use of this at this time.
Haven't tested it out yet, but here's what I think could work. Suggestions for a better hook name would be appreciated.
Comment #5
gappleI should check out my patch files before upload...
The patch for content_access seemed to grab some changes from an older commit as well, and I noticed that I didn't initialize a variable before use, so here's the corrected patch.
Comment #6
good_man CreditAttribution: good_man commented@gapple: thanks for your work, but I've tried logintoboggan and it didn't create such role, and I tried to create content and assign view to auth. and it worked for unvalidated users. Any steps to reproduce?
Comment #7
gappleThe unvalidated role must be created manually and then assigned on the logintoboggan admin page (Non-authenticated role field in the Registration fieldset).
Then create content with permissions for the Authenticated and the non-authenticated role you created.
After saving, the node grants table will only contain an entry for the Authenticated role.
If a user that has registered but not confirmed their email address tries to access the content, they will be denied (as I understand, LoginToboggan removes the Authenticated User role from these users)
Comment #8
good_man CreditAttribution: good_man commentedI tried the steps you mentioned and it's working great, make sure there is not other module that causing this conflict.
Comment #9
gappleJust ran through things again on a local test site.
Base Drupal install, with only Content Access, LoginToboggan, Admin Menu, and Devel installed and enabled.
1. Create a new role 'un-auth', and grant 'access content' permission
2. Configure LoginToboggan: Enable 'Set Password' and set Non-authenticated role to 'un-auth'
3. Create user accounts: Authenticated user can be created by admin, unauthenticated user must be created by using the user registration form
4. Set 'Story' content type permissions
5. Create a Story node
6. View node
Here are some screen shots of the settings and consequent node views with Devel showing the node access records:
Authenticated and Un-auth This setting is optimized to just 'authenticated', erroneously denying access to un-auth users.
Anonymous and Authenticated This setting is optimized to 'all roles', even though un-auth should not be given access (granted, this is not a likely use-case).
Comment #10
good_man CreditAttribution: good_man commentedOK now I got what you mean, you didn't make it clear that *you* want this behaviour, and I thought what you want is what's going on now and it's bug :)
So did you open an issue in logintoboggan issue queue with your patch? (of course our patch needs to go in first so they can use it).
Comment #11
gappleI've just opened an issue in the LoginToboggan queue: #1213466: Content Access compatibility contrib module
Comment #12
gappleThe issue in LoginToboggan has been fixed with the commit of a compatibility module in both 6.x and 7.x branches.
I've attached patches for 6.x and 7.x, though there are no differences between the two.
They improve upon my previous patch by replacing the
foreach
loop witharray_intersect
.Comment #13
RedRock2512 CreditAttribution: RedRock2512 commentedIs this patch in the latest DEV version?
Comment #14
gappleThese patches aren't in DEV yet; when they are this issue will be marked as closed.
Testing and marking RTBC would be helpful in getting these patches added.
Comment #15
mrP CreditAttribution: mrP commentedIf there is any chance of this getting fixed, it will go into D7 first and then potentially ported to D6.
When I tested the patch, I used it on an existing site with existing permissions (tested a new registration of course as well as rebuild permissions), and still had the same issue.
Comment #16
gapple@mrP did you enable the integration module that is part of logintoboggan as well? The latest patch relies on it's hook implementation in order to work correctly.
Comment #17
mrP CreditAttribution: mrP commentedI did indeed. LoginToboggan Content Access Integration was enabled during my testing.
Comment #18
fagoWell, then LoginToboggan hacks the role system in a way it's not built for. I do not think that content access should account for anything that does not go with Drupal's role model.
Still, one could do a small module that alters the grants accordingly.
Comment #19
myDrupal2014_846824658246 CreditAttribution: myDrupal2014_846824658246 commentedI'm running in this issue now.
Using :
- Content Access 7.x-1.2-beta2
- LogintoBoggan 7.x-1.4
Can I apply the patch mention by :
https://www.drupal.org/node/915170#comment-5005874
I'm just new in patching ....