| 1 | |
|---|
| 2 | DESCRIPTION |
|---|
| 3 | =========== |
|---|
| 4 | This module gets around two quirks in the 6.x core Node module. |
|---|
| 5 | Currently the Node module: |
|---|
| 6 | - causes access grants to be ignored for unpublished content; |
|---|
| 7 | - ORs together access grants coming from multiple modules; this results |
|---|
| 8 | in content being made accessible by one module when access had already |
|---|
| 9 | been restricted by another, which is undesirable in most cases. |
|---|
| 10 | |
|---|
| 11 | The module ensures that access grants are tested for unpublished content just |
|---|
| 12 | as they are for published content, so that using the Workflow module (or any |
|---|
| 13 | other module that uses the node_access table) you can implement workflows that |
|---|
| 14 | deal effectively with content moving from author via moderator to publisher |
|---|
| 15 | BEFORE it is published (which is where it's needed most, once content is |
|---|
| 16 | visible for all to see, it's a bit late to start a publication workflow |
|---|
| 17 | process!). |
|---|
| 18 | Using Taxonomy Access Control (or -Lite) you can restrict access to content |
|---|
| 19 | to user-defined "vocabularies" such as departments or regions. With Module |
|---|
| 20 | Grants this will work for unpublished content just as it does for published |
|---|
| 21 | content. |
|---|
| 22 | Moreover when Workflow and TAC or (TAC-Lite) are used together this module |
|---|
| 23 | makes sure that the combination exhibits the expected behaviour: access is |
|---|
| 24 | granted to content only when it is in the correct state AND of the appropriate |
|---|
| 25 | vocabulary "term" (such as department, country, etc.). |
|---|
| 26 | The module_grants module achieves this by AND-ing rather than OR-ing the grants. |
|---|
| 27 | |
|---|
| 28 | Module Grants comes bundled with Module Grants Monitor (optional), which |
|---|
| 29 | provides users with a new menu item, "Accessible Content" that shows a list of |
|---|
| 30 | all content accessible to the logged-in user based on the permissions and |
|---|
| 31 | access grants as determined by enabled modules. This list may be filtered using |
|---|
| 32 | a double row of tabs residing at the top of the page, see point 3a below. |
|---|
| 33 | |
|---|
| 34 | INSTALLATION AND CONFIGURATION |
|---|
| 35 | ============================== |
|---|
| 36 | 1. Place the "module_grants" folder in your "sites/all/modules" directory. |
|---|
| 37 | 2. Under Administer >> Site building >> Modules, enable Module Grants and |
|---|
| 38 | optionally Module Grants Monitor (recommended). |
|---|
| 39 | 3a Visit Administer >> User management >> Permissions. Make sure that roles |
|---|
| 40 | that are meant to be able to view unpublished and not yet published content |
|---|
| 41 | have one of the following permissions: |
|---|
| 42 | o "view revisions" (section "node module"), or |
|---|
| 43 | o "view any|all <content-type> content" (section "revisioning module", if |
|---|
| 44 | Revisioning installed). |
|---|
| 45 | Make sure that the role of anonymous user does NOT have any of the above |
|---|
| 46 | permissions. |
|---|
| 47 | 3b There's usually no need to tick "administer nodes" for any role, which is |
|---|
| 48 | good because "administer nodes" equates to almost god-like powers that you |
|---|
| 49 | wouldn't normally give to normal users. |
|---|
| 50 | 4. If required, install and enable as many modules for content access control |
|---|
| 51 | as you need for your situation. Typical examples are Taxonomy Access Control |
|---|
| 52 | (or use TAC Lite) and Workflow. |
|---|
| 53 | 5. Optional, but highly recommended, especially when using Revisioning. Under |
|---|
| 54 | Administer >> User management >> Permissions, section "module_grants_monitor |
|---|
| 55 | module" select for each role which filtering tab they will get to use. The |
|---|
| 56 | permissions, which are in alphabetical rahter than logical order, relate to |
|---|
| 57 | two rows of tabs that appear on the 'Accessible content' page. |
|---|
| 58 | The first row of up to 4 tabs filter content the logged-in user |
|---|
| 59 | created, |
|---|
| 60 | modified, |
|---|
| 61 | can edit, |
|---|
| 62 | can view |
|---|
| 63 | The second row of up to 3 tabs further filter content according to it being |
|---|
| 64 | published, |
|---|
| 65 | unpublished (includes previously published as well as not yet published) |
|---|
| 66 | either ("all", that is: no additional filtering) |
|---|
| 67 | |
|---|
| 68 | NOTE 1: you must tick at least one permission box for each of the 2 rows |
|---|
| 69 | NOTE 2: these tick boxes only determine whether the role in question gets |
|---|
| 70 | to see the tabs, they do not in any way affect access to content. So in |
|---|
| 71 | that sense you can safely tick any or all of the tab boxes for all |
|---|
| 72 | authenticated users. However you may not want to confuse certain roles |
|---|
| 73 | with too many tabs and too much output. |
|---|
| 74 | |
|---|
| 75 | USAGE |
|---|
| 76 | ===== |
|---|
| 77 | Module Grants Monitor creates a new navigation menu item, 'Accessible content' |
|---|
| 78 | visible to the administrator and to roles to which the administrator granted |
|---|
| 79 | access as per the above section, point 5. The content shown under 'Accessible |
|---|
| 80 | content' reflects the access grants given by modules installed on your system |
|---|
| 81 | to the current user. |
|---|
| 82 | |
|---|
| 83 | You can use Module Grants in combination with TAC or TAC-Lite for fine-grained |
|---|
| 84 | access control based on vocabularies (such as "department") assigned to the |
|---|
| 85 | various content types. You can then create department-specific roles (eg |
|---|
| 86 | Sports Author, Music Author) and enforce that these roles can only access |
|---|
| 87 | content belonging to their departments, whether it's published or not. |
|---|
| 88 | Create your grants "schemes" on this page: Administer >> User management >> |
|---|
| 89 | Access control by taxonmy. |
|---|
| 90 | In addition you may want to install the Workflow module to further segragate |
|---|
| 91 | roles (eg author and moderator) via access control based on states such as |
|---|
| 92 | "in draft", "in review" and "published". See Administer >> Site building >> |
|---|
| 93 | Workflow. |
|---|
| 94 | The module makes sure that access to content is given only when BOTH the |
|---|
| 95 | TAC (Lite) and the Workflow Access modules grant it (as opposed to one OR |
|---|
| 96 | the other). |
|---|
| 97 | |
|---|
| 98 | This module also works well with the Revisioning module for creating effective |
|---|
| 99 | publication workflows operating on published as well as unpublished content |
|---|
| 100 | revisions. |
|---|
| 101 | See the Revisioning project page at http://drupal.org/project/revisioning |
|---|
| 102 | for three step-by-step tutorials. |
|---|
| 103 | |
|---|
| 104 | Be aware that any permissions given in the "node module" section override the |
|---|
| 105 | access grants given by the Workflow and TAC-Lite modules, so you probably only |
|---|
| 106 | want to assign a few creation permissions in the node module and grant |
|---|
| 107 | view, update and delete via TAC/TAC-Lite and/or Workflow. |
|---|
| 108 | |
|---|
| 109 | Additional configuration options are found at Administer >> Site configuration |
|---|
| 110 | >> Module Grants. |
|---|
| 111 | |
|---|
| 112 | API |
|---|
| 113 | === |
|---|
| 114 | Module Grants features one hook, hook_user_node_access($revision_op, $node), |
|---|
| 115 | which module developers may implement to alter or add to the behaviour of |
|---|
| 116 | Module Grants as it determines whether access to a supplied node or revision |
|---|
| 117 | should be granted using the requested operation. |
|---|
| 118 | See the module_grants.api.php file. |
|---|
| 119 | |
|---|
| 120 | AUTHOR |
|---|
| 121 | ====== |
|---|
| 122 | Rik de Boer, Melbourne, Australia. |
|---|
