Hi - I'm trying to set up a Drupal 8 web app where a user can make comments on a node that are private only to that user. Field Permissions seemed to be the answer.

I set up a "Private Comment" comment type, then attached it to the Content Type (called "Resolution"). On the "Comment" field within the comment type, I set the visibility via Field Permissions to "Private". That works fine. If I log in as UserB, I cannot see the "Comment" field that UserA has created.

But where I'm running into issues is that when UserB views a Resolution node, UserB can see that comments exists (I have the post date showing on the comment, and the links which allow Delete/Edit/Reply). (I'm using a Display Suite view mode to display the comments.) UserB can't see the Comment field itself or that UserA is the author, but UserB can see that a comment exists, along with the post date and the Reply link.

I thought of setting Field Permissions visibility on the "Private Comment" that exists as a field in the Resolution content type. But there's no option to do that.

So I'm not sure if this is ultimately a feature request or a support request. I'd like a way to hide even the existence of any comment that's not made by the logged-in user. It would seem that the best way to do that would be to implement Field Permissions on the Comment field that's attached to a Content Type. Is that in the works? Or is there some other way that I can do what I'm needing?

Thanks in advance for any help.

Comments

michaelschutz created an issue.

k4v’s picture

k4v commented

Also it would be nice if one could set the permissions on the comment field on the host entity... so some users cannot see any trace of the comments.

Update: Oh, i completely overlooked that you can just the the permission in the comments module to achieve this.

But still, this is not a per-field-setting, you can only restrict comments globally for a role.

eahonet’s picture

eahonet commented

Current Project: The writers on the site want a private set of comments for nodes in draft stage. Then when the node is published, they want users to be able to comment on them as normal, but not see all the pre-published notes. My plan was to use "comments" from existing fields and create "Admin Comments" for a second field. Then use Field Permissions to control that.

So I'm adding this as someone else who would be interested in this as a future feature.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
commented

It may be difficult to support this sort of complex logic in this module. If you look at how field permissions works, it simply adds a UI for some fairly basic logic, and then enforces access via core's hook_entity_field_access(). It might be better to implement this hook in either a custom module, or a new contrib module for more complex comment entity access control...

sjhuskey’s picture

sjhuskey commented

I need to implement something similar. My client wants reviewers to be able to comment on nodes without anyone else being able to see the comments until after the review period has concluded. After that, all reviewers should be able to see all comments. The "View Own" permission doesn't accomplish this. In fact, what does happen is pretty bizarre.

I tried to implement some logic in comment.html.twig to check if the comment's author_id matches the current user's uid. That kind of works, but there's a caching issue that I haven't been able to sort out. User A can comment on a node and see only User A's comment. But when User B views the same node, User B can see User A's comment. If I clear all caches, User B can see only User B's comments. But when User C visits the node, User C and see User B's comment, until I clear the cache.

I posted this issue at https://drupal.stackexchange.com/q/311373/56518, but the solutions there have not worked.

I'm posting here to add to the comments of those who believe this functionality is needed.