Comments on: Access Control Lists in Drupal? http://www.darcynorman.net/2006/04/28/access-control-lists-in-drupal/ apparently much happier in person Fri, 20 Nov 2009 14:35:07 -0700 http://wordpress.org/?v=2.8.6 hourly 1 By: Bill Fitzgerald http://www.darcynorman.net/2006/04/28/access-control-lists-in-drupal/#comment-81804 Bill Fitzgerald Wed, 31 Dec 1969 17:00:00 +0000 1751052429#comment-81804 You also might want to look at the <a href="http://drupal.org/project/simple_access">simple access module</a> -- you will still run into some similar issues wrt scaling, as simple access groups are determined by roles. But, on the bright side, the UI is pretty straightforward. This is something I've actually been thinking about tackling for a while, but with other projects looming it's been pushed to the back burner -- One solution, which mirrors what Boris suggested: create multi-author nodes -- the original author could specify additional authors (or readers, as they desired) when they created the node. If autocomplete (like in freetagging) was enabled for the additional author fields, this would scale just fine -- type in the first few letters of a user, and you're good to go -- no drop down list necessary. The more robust (but, for the end user, potentially more confusing option) involves letting the original node creator select users or roles. The potential access levels could be: add editors/edit content/read content. You also might want to look at the simple access module — you will still run into some similar issues wrt scaling, as simple access groups are determined by roles. But, on the bright side, the UI is pretty straightforward.

This is something I’ve actually been thinking about tackling for a while, but with other projects looming it’s been pushed to the back burner —

One solution, which mirrors what Boris suggested: create multi-author nodes — the original author could specify additional authors (or readers, as they desired) when they created the node. If autocomplete (like in freetagging) was enabled for the additional author fields, this would scale just fine — type in the first few letters of a user, and you’re good to go — no drop down list necessary. The more robust (but, for the end user, potentially more confusing option) involves letting the original node creator select users or roles. The potential access levels could be: add editors/edit content/read content.

]]> By: carl mcdade http://www.darcynorman.net/2006/04/28/access-control-lists-in-drupal/#comment-81805 carl mcdade Wed, 31 Dec 1969 17:00:00 +0000 1751052429#comment-81805 Thanks for confirming what I have been banging my head on lately. I have a partial solution. http://www.hiveminds.co.uk/node/899 This is partial because though I have worked out the database schema there is still a question of usability. Trying to get an all encompassing list of rights per role that does not turn into a GUI that confuses the user. The second problem is trying to make sense of the rights per module, finding a common ground that developers can use in any situation. Access control on a module package like e-commerce is very hard to simplify to a CRUD model. While a contact.module has very simple needs and CRUD may be too much. Thanks for confirming what I have been banging my head on lately. I have a partial solution.

http://www.hiveminds.co.uk/node/899

This is partial because though I have worked out the database schema there is still a question of usability. Trying to get an all encompassing list of rights per role that does not turn into a GUI that confuses the user. The second problem is trying to make sense of the rights per module, finding a common ground that developers can use in any situation. Access control on a module package like e-commerce is very hard to simplify to a CRUD model. While a contact.module has very simple needs and CRUD may be too much.

]]> By: Boris Mann http://www.darcynorman.net/2006/04/28/access-control-lists-in-drupal/#comment-81806 Boris Mann Wed, 31 Dec 1969 17:00:00 +0000 1751052429#comment-81806 Per-node per-user is HARD. I remember we were actually looking at buddylist for this, where it would still (sort of) be role based, but you would create the roles/groups on the fly by user tagging (well, relationship tagging). Think about how to do it in Flickr: JUST as hard -- make a private group and invite the N people you want to have access. Merlinofchaos' na-arbitrator is likely the basis on which you would build something like this. You would want a 4.7-based type ahead widget for selecting users, and then choose a read/write/etc. access level. Per-node per-user is HARD. I remember we were actually looking at buddylist for this, where it would still (sort of) be role based, but you would create the roles/groups on the fly by user tagging (well, relationship tagging).

Think about how to do it in Flickr: JUST as hard — make a private group and invite the N people you want to have access.

Merlinofchaos’ na-arbitrator is likely the basis on which you would build something like this. You would want a 4.7-based type ahead widget for selecting users, and then choose a read/write/etc. access level.

]]> By: Sami Khan http://www.darcynorman.net/2006/04/28/access-control-lists-in-drupal/#comment-81807 Sami Khan Wed, 31 Dec 1969 17:00:00 +0000 1751052429#comment-81807 If you've got a coding question, I am your man... Though I am not all that comfortable yet with access API, I can still help you with the rest of Drupal's innerworkings. If you write up a proposal for what you're describing along with outcomes, it could become a good Google SoC project. If you’ve got a coding question, I am your man… Though I am not all that comfortable yet with access API, I can still help you with the rest of Drupal’s innerworkings. If you write up a proposal for what you’re describing along with outcomes, it could become a good Google SoC project.

]]> By: D'Arcy http://www.darcynorman.net/2006/04/28/access-control-lists-in-drupal/#comment-81808 D'Arcy Wed, 31 Dec 1969 17:00:00 +0000 1751052429#comment-81808 Boris - I'll try to do some R&D here on it. Seems like something that could benefit a lot of the Drupal community. There are some specs already partially published, and some (old) mentions of possibly doing it in Drupal core, but nothing's moved forward. From the sound of it, what I'm describing in the use case isn't possible now (at least not in a manageable and scaleable way) so I'll put some effort into it. Carl - agreed. This is going to take some effort on the UI, not just in code. There are some examples to be learned from though. Bill - I'm using Simple Access, and it rocks for small-ish groups that are known in advance and managed by an admin. Since it's tied to Roles, it just can't scale, and users can't create their own. I actually talked about Simple Access about half-way through this post ;-) Boris – I’ll try to do some R&D here on it. Seems like something that could benefit a lot of the Drupal community. There are some specs already partially published, and some (old) mentions of possibly doing it in Drupal core, but nothing’s moved forward. From the sound of it, what I’m describing in the use case isn’t possible now (at least not in a manageable and scaleable way) so I’ll put some effort into it.

Carl – agreed. This is going to take some effort on the UI, not just in code. There are some examples to be learned from though.

Bill – I’m using Simple Access, and it rocks for small-ish groups that are known in advance and managed by an admin. Since it’s tied to Roles, it just can’t scale, and users can’t create their own. I actually talked about Simple Access about half-way through this post ;-)

]]> By: Bill Fitzgerald http://www.darcynorman.net/2006/04/28/access-control-lists-in-drupal/#comment-81809 Bill Fitzgerald Wed, 31 Dec 1969 17:00:00 +0000 1751052429#comment-81809 D'Arcy -- re talking about simple access in your post -- Yes, you certainly did -- time for me to stop sleepblogging :) I've been thinking about this over the last few days, and it could make a good <a href="http://drupal.org/google-summer-of-code-2006">Summer of Code</a> project. Is this something you want to develop in house, or do you think it would be useful to write up a spec as a proposed project? If it doesn't conflict with any development you are doing/planning, I'd be glad to write up the spec. D’Arcy — re talking about simple access in your post — Yes, you certainly did — time for me to stop sleepblogging :)

I’ve been thinking about this over the last few days, and it could make a good Summer of Code project. Is this something you want to develop in house, or do you think it would be useful to write up a spec as a proposed project?

If it doesn’t conflict with any development you are doing/planning, I’d be glad to write up the spec.

]]> By: D'Arcy http://www.darcynorman.net/2006/04/28/access-control-lists-in-drupal/#comment-81810 D'Arcy Wed, 31 Dec 1969 17:00:00 +0000 1751052429#comment-81810 Bill - I can certainly pitch in. I'm not sure exactly what's involved - never written a Drupal module, and am still getting familiar with the innards/hooks/APIs etc... but can contribute as I'm able. I think if someone took it on as a GSoC project, that we'd need a mentor involved who is extremely familiar with the guts of Drupal. Authentication, authorization, access control, etc... Whether it winds up being done in house (or in several houses) I think a solid spec would help. If nothing else, than to serve as a design doc. I just set up a <a href="http://wiki.darcynorman.net/page/Drupal_User_Access_Control">wiki page</a> for the doc. If there's a better or more appropriate home for it, I'll take that page down. Bill – I can certainly pitch in. I’m not sure exactly what’s involved – never written a Drupal module, and am still getting familiar with the innards/hooks/APIs etc… but can contribute as I’m able. I think if someone took it on as a GSoC project, that we’d need a mentor involved who is extremely familiar with the guts of Drupal. Authentication, authorization, access control, etc…

Whether it winds up being done in house (or in several houses) I think a solid spec would help. If nothing else, than to serve as a design doc.

I just set up a wiki page for the doc. If there’s a better or more appropriate home for it, I’ll take that page down.

]]> By: D'Arcy http://www.darcynorman.net/2006/04/28/access-control-lists-in-drupal/#comment-81811 D'Arcy Wed, 31 Dec 1969 17:00:00 +0000 1751052429#comment-81811 Sami, that's great! I'm just digging in to get familiar with the guts of Drupal - until now I've been content just playing with the various modules, but now I get to dig deeper. When I've got a better idea of what's involved, I'll flesh out the proposal - it could be that I'm not understanding the problem enough yet, so I'll work on that first :-) Sami, that’s great! I’m just digging in to get familiar with the guts of Drupal – until now I’ve been content just playing with the various modules, but now I get to dig deeper.

When I’ve got a better idea of what’s involved, I’ll flesh out the proposal – it could be that I’m not understanding the problem enough yet, so I’ll work on that first :-)

]]> By: Paul http://www.darcynorman.net/2006/04/28/access-control-lists-in-drupal/#comment-82568 Paul Wed, 31 Dec 1969 17:00:00 +0000 1751052429#comment-82568 Hey, I just ran across exactly what you are looking for! Check out the nodeaccess module - it lets you set permission to access any/every node by USER, not by Group! http://drupal.org/project/nodeaccess Hey, I just ran across exactly what you are looking for! Check out the nodeaccess module – it lets you set permission to access any/every node by USER, not by Group!

http://drupal.org/project/nodeaccess

]]>