Comments on: On Drupal’s Node Access Control Scheme

By: Gianna

Gianna — Tue, 03 Jun 2008 07:20:24 +0000

Access control to contacts is probably the most difficult piece of the CiviNode code base, and needs a bit of discussion. Perhaps the best way to start is with the basic scheme, and then a discussion of how this is different from what CiviCRM already does, and how it differs from different schemes used or under discussion for Drupal.

By: dnorman

dnorman — Wed, 31 Dec 1969 17:00:00 +0000

Boris – absolutely. Let me know when you’re back on the left side of The Pond…

By: dnorman

dnorman — Wed, 31 Dec 1969 17:00:00 +0000

Boris – we tried using Organic Groups for everything, but for many things the simplicity of Simple Access was what the clients needed.

I’ll take another look at the latest version of OG, with the extra modules (like forum groups…) and see if I can replicate everything just using OG.

This is one of those areas where almost every single client/professor/user we work with steps back, scratches their head, and says some variation of “you mean Drupal doesn’t let me pick the audience for a page?”

In our case, we’ve got a bunch of nodes as “Page” nodes, some of which are restricted by Simple Access. We also have blogs and forums, which may be more appropriate using Organic Groups to define access and group views.

By: Boris Mann

Boris Mann — Wed, 31 Dec 1969 17:00:00 +0000

D'Arcy, when I get back from Germany, I would love to have a voice chat about this.....what if you actually think of organic groups as access control...that is, you might not even *use* the actual group home page.

(this pretty much just goes to show how much I trust OG)

But in general, being able to do per-post, per-user access control would be a Good Thing™ in many cases.

By: dnorman

dnorman — Wed, 31 Dec 1969 17:00:00 +0000

Boris made a comment, but it got stuck somewhere it Cocomment land. I’ve disabled that module in case it’s gumming things up, and here’s Boris’ comment:

Usually you really only do need only one of the modules. For example, Organic Groups can be installed and made to exclude book pages, and then you only give book editing permissions to a particular role.

So the short answer is, the node access API is there so different implementations can exist. I, personally, do not fully trust anything other than organic groups.

Your description of whitelisting/blacklisting is a simplified description of what is actually happening at the code level…it is much easier to say than to implement securely, robustly, and in a scalable way.

AFAIK, there is no one actively working on NA Arbitrator. The “strategy” comes from whomever puts time (well, code and patches) into development. So…if you’ve got an itch to scratch, start submitting patches and start the discussion.

By: merlinofchaos

merlinofchaos — Wed, 31 Dec 1969 17:00:00 +0000

Actually, I intend to take the arbitrator and submit it as a patch for 4.8.

My biggest issue is that I'm not happy with the 'priority' feature, but at the moment it's the best we've got. The guy who was doing the node_access.module, now renamed na_multi.module was working on making something a little more flexible, but that seems a long way off and difficult to convince people of.

The arbitrator, on the other hand, may make it in, I just need to do it. And explain it. The explanation actually is harder than the code.

By: moshe Weitzman

moshe Weitzman — Wed, 31 Dec 1969 17:00:00 +0000

the arbitrator really is the futue. i am waiting for someone to pay a bit in order to port og to it. thats not trivial.

By: dnorman

dnorman — Wed, 31 Dec 1969 17:00:00 +0000

moshe – true. I’m still mulling over my access control list module. On the one hand, it’d be straight forward to build it as a standalone module. But then I’d have the conflict issue when used with other acces control modules. As an NA-Arbitrator module, at least it could play nicely with other NA-Arbitrator modules…

Also, I just downloaded the latest suite of OG modules from CVS, and with access control enabled for OG (and only OG), it is close to what I need for at least one project.