1 | |
---|
2 | DESCRIPTION |
---|
3 | =========== |
---|
4 | This module gets around two quirks in the 6.x core Node module. |
---|
5 | Currently the Node module: |
---|
6 | - causes access grants to be ignored for unpublished content; |
---|
7 | - ORs together access grants coming from multiple modules; this results |
---|
8 | in content being made accessible by one module when access had already |
---|
9 | been restricted by another, which is undesirable in most cases. |
---|
10 | |
---|
11 | The module ensures that access grants are tested for unpublished content just |
---|
12 | as they are for published content, so that using the Workflow module (or any |
---|
13 | other module that uses the node_access table) you can implement workflows that |
---|
14 | deal effectively with content moving from author via moderator to publisher |
---|
15 | BEFORE it is published (which is where it's needed most, once content is |
---|
16 | visible for all to see, it's a bit late to start a publication workflow |
---|
17 | process!). |
---|
18 | Using Taxonomy Access Control (or -Lite) you can restrict access to content |
---|
19 | to user-defined "vocabularies" such as departments or regions. With Module |
---|
20 | Grants this will work for unpublished content just as it does for published |
---|
21 | content. |
---|
22 | Moreover when Workflow and TAC or (TAC-Lite) are used together this module |
---|
23 | makes sure that the combination exhibits the expected behaviour: access is |
---|
24 | granted to content only when it is in the correct state AND of the appropriate |
---|
25 | vocabulary "term" (such as department, country, etc.). |
---|
26 | The module_grants module achieves this by AND-ing rather than OR-ing the grants. |
---|
27 | |
---|
28 | Module Grants comes bundled with Module Grants Monitor (optional), which |
---|
29 | provides users with a new menu item, "Accessible Content" that shows a list of |
---|
30 | all content accessible to the logged-in user based on the permissions and |
---|
31 | access grants as determined by enabled modules. This list may be filtered using |
---|
32 | a double row of tabs residing at the top of the page, see point 3a below. |
---|
33 | |
---|
34 | INSTALLATION AND CONFIGURATION |
---|
35 | ============================== |
---|
36 | 1. Place the "module_grants" folder in your "sites/all/modules" directory. |
---|
37 | 2. Under Administer >> Site building >> Modules, enable Module Grants and |
---|
38 | optionally Module Grants Monitor (recommended). |
---|
39 | 3a Visit Administer >> User management >> Permissions. Make sure that roles |
---|
40 | that are meant to be able to view unpublished and not yet published content |
---|
41 | have one of the following permissions: |
---|
42 | o "view revisions" (section "node module"), or |
---|
43 | o "view any|all <content-type> content" (section "revisioning module", if |
---|
44 | Revisioning installed). |
---|
45 | Make sure that the role of anonymous user does NOT have any of the above |
---|
46 | permissions. |
---|
47 | 3b There's usually no need to tick "administer nodes" for any role, which is |
---|
48 | good because "administer nodes" equates to almost god-like powers that you |
---|
49 | wouldn't normally give to normal users. |
---|
50 | 4. If required, install and enable as many modules for content access control |
---|
51 | as you need for your situation. Typical examples are Taxonomy Access Control |
---|
52 | (or use TAC Lite) and Workflow. |
---|
53 | 5. Optional, but highly recommended, especially when using Revisioning. Under |
---|
54 | Administer >> User management >> Permissions, section "module_grants_monitor |
---|
55 | module" select for each role which filtering tab they will get to use. The |
---|
56 | permissions, which are in alphabetical rahter than logical order, relate to |
---|
57 | two rows of tabs that appear on the 'Accessible content' page. |
---|
58 | The first row of up to 4 tabs filter content the logged-in user |
---|
59 | created, |
---|
60 | modified, |
---|
61 | can edit, |
---|
62 | can view |
---|
63 | The second row of up to 3 tabs further filter content according to it being |
---|
64 | published, |
---|
65 | unpublished (includes previously published as well as not yet published) |
---|
66 | either ("all", that is: no additional filtering) |
---|
67 | |
---|
68 | NOTE 1: you must tick at least one permission box for each of the 2 rows |
---|
69 | NOTE 2: these tick boxes only determine whether the role in question gets |
---|
70 | to see the tabs, they do not in any way affect access to content. So in |
---|
71 | that sense you can safely tick any or all of the tab boxes for all |
---|
72 | authenticated users. However you may not want to confuse certain roles |
---|
73 | with too many tabs and too much output. |
---|
74 | |
---|
75 | USAGE |
---|
76 | ===== |
---|
77 | Module Grants Monitor creates a new navigation menu item, 'Accessible content' |
---|
78 | visible to the administrator and to roles to which the administrator granted |
---|
79 | access as per the above section, point 5. The content shown under 'Accessible |
---|
80 | content' reflects the access grants given by modules installed on your system |
---|
81 | to the current user. |
---|
82 | |
---|
83 | You can use Module Grants in combination with TAC or TAC-Lite for fine-grained |
---|
84 | access control based on vocabularies (such as "department") assigned to the |
---|
85 | various content types. You can then create department-specific roles (eg |
---|
86 | Sports Author, Music Author) and enforce that these roles can only access |
---|
87 | content belonging to their departments, whether it's published or not. |
---|
88 | Create your grants "schemes" on this page: Administer >> User management >> |
---|
89 | Access control by taxonmy. |
---|
90 | In addition you may want to install the Workflow module to further segragate |
---|
91 | roles (eg author and moderator) via access control based on states such as |
---|
92 | "in draft", "in review" and "published". See Administer >> Site building >> |
---|
93 | Workflow. |
---|
94 | The module makes sure that access to content is given only when BOTH the |
---|
95 | TAC (Lite) and the Workflow Access modules grant it (as opposed to one OR |
---|
96 | the other). |
---|
97 | |
---|
98 | This module also works well with the Revisioning module for creating effective |
---|
99 | publication workflows operating on published as well as unpublished content |
---|
100 | revisions. |
---|
101 | See the Revisioning project page at http://drupal.org/project/revisioning |
---|
102 | for three step-by-step tutorials. |
---|
103 | |
---|
104 | Be aware that any permissions given in the "node module" section override the |
---|
105 | access grants given by the Workflow and TAC-Lite modules, so you probably only |
---|
106 | want to assign a few creation permissions in the node module and grant |
---|
107 | view, update and delete via TAC/TAC-Lite and/or Workflow. |
---|
108 | |
---|
109 | Additional configuration options are found at Administer >> Site configuration |
---|
110 | >> Module Grants. |
---|
111 | |
---|
112 | API |
---|
113 | === |
---|
114 | Module Grants features one hook, hook_user_node_access($revision_op, $node), |
---|
115 | which module developers may implement to alter or add to the behaviour of |
---|
116 | Module Grants as it determines whether access to a supplied node or revision |
---|
117 | should be granted using the requested operation. |
---|
118 | See the module_grants.api.php file. |
---|
119 | |
---|
120 | AUTHOR |
---|
121 | ====== |
---|
122 | Rik de Boer, Melbourne, Australia. |
---|