User login

Node Authors module: give multiple people edit rights to specific content based on userreference field

Deep background:

Michelle: Anyone know of some good docs on doing access control? The node chapter of PDD touches on it but not enough for me to really get it and what I'm trying to do is complicated
[10:55am] agentrickard: node access or user access?
[10:55am] Michelle: Well, user access to nodes
[10:55am] Michelle: I need to be able to control access to a node based on a userreference field
[10:56am] Michelle: Talking in code, not adding a module, btw
[10:56am] agentrickard: explain
[10:56am] Michelle: I have a userreference field. The user in that field needs full access to the node as well as the author. But no one else (except admins)
[10:57am] agentrickard: got it
[10:57am] agentrickard: typically, this is a node_access task
[10:57am] agentrickard: the node access docs are actually pretty good, but the concepts are tricky. http://api.drupal.org/api/group/node_access/5
[10:58am] Michelle: Yeah, this section of the book is going over my head
[10:58am] agentrickard: it took me two days to comprehend
[10:58am] NikLP: is this the node_Access module...?
[10:58am] agentrickard: two _full_ workdays
[10:58am] Michelle: I was able to do it easily when I was definitng the content types myself, but I've switched gears and am defining a widget instead
[10:58am] jredding: which module handles rss.xml?
[10:58am] Michelle: Yikes... That's not good since you're a lot smarter than me
[10:58am] agentrickard: no, this is the noade access API
[10:58am] NikLP: soz
[10:58am] agentrickard: node_access module will do what you want, but it will create an extra step
[10:59am] Michelle: Shoot, baby emergemcy. Gotta run for a bit
[10:59am] agentrickard: Michelle: after you create the node, you'd need to set the Grants using the Node Access module.

ben-agaric: Michelle (when you get back) - I gave userreference field defined users access to nodes (and all descendent nodes, for that matter) in http://drupal.org/project/relativity_access
[11:03am] parentheses left the chat room. ("leaving")
[11:03am] calebg joined the chat room.
[11:03am] adrigm: channel drupal spanish?
[11:04am] dmitrig01: #drupal-es
[11:04am] aymerick left the chat room.
[11:04am] dmitrig01: maybe
[11:04am] ben-agaric: I think I even made a UI for choosing which userreference fields. But don't ask me how all the access control stuff works, my brain cleaned that out long ago
[11:04am] agentrickard: ben-agaric: niiiiice
[11:04am] adrigm: thank
[11:04am] dmitrig01: ben-agaric: awesome
[11:05am] ben-agaric: it was a rather rocky release (my first use of CVS etc, stupid bugs getting in) but I think some people are actually using the module
[11:05am] adrigm left the chat room. ("Saliendo")
[11:05am] ben-agaric: (aside from the client that paid for it!)
[11:05am] agentrickard: if I get it, you can do the same thing with Node Access module, but this pre-populates the choices for you?
[11:05am] • dmitrig01 is battling and shaping install_profile_api into something usable
[11:06am] ben-agaric: Node access has cascading rights based on the relativity module?
[11:06am] • ben-agaric will shoot himself
[11:06am] aymerick joined the chat room.
[11:07am] agentrickard: no
[11:07am] agentrickard: so two differences
[11:07am] ben-agaric: Good! I brought it up here because I also gave access to userreference fields, and that part could be pulled out for Michelle's needs
[11:08am] ben-agaric: but probably better combined with nodeaccess since the access logic in relativity_access got crazy
[11:08am] agentrickard: hook_node_access is a slippery slope
[11:10am] Michelle: Sorry, guys, hubby came in with a messy baby. All clean. Will read the backscroll now
[11:10am] chrisxj joined the chat room.
[11:12am] Michelle: Willl look at that module. Thanks. I should have been clearer when I said I wasn't looking for a module... I was just meaning that my question wasn't simply "what module does X" which is why I asked here instead of support. I'm not opposed to using a module if it works
[11:12am] Michelle: This is a really tricky thing because I'm creating a widget which makes things happen at the node level but it can be put on any content type so I don't know what they are in advance
[11:12am] Michelle: Anyway, looking at the module now
[11:13am] agentrickard: i think ben-agaric is right, you probably want to use similar logic to his, but you likely need your own node access system
[11:14am] Michelle: Yeah, reading the description it's not a plug and play thing but an example to follow always helps
[11:14am] agentrickard: the node_access tutorial in api docs is actually pretty good
[11:15am] agentrickard: just remember two things: you have to prepare an array on node save and another on user load
[11:15am] ben-agaric: I could generalize the userreference stuff for you if you don't need it too soon. Karren S. explained the Drupal way of pulling up CKK fields which is the real key to this
[11:15am] agentrickard: If you can understand: http://api.drupal.org/api/function/hook_node_access_records/5 and http://api.drupal.org/api/function/hook_node_grants/5, then you'll be fine
[11:15am] dmitrig01: except for the fact that those are the two hardest to understand hooks
[11:16am] ben-agaric: and by "generalize" I mean see if it could be a helper module to both my relativity_access and node_access
[11:16am] agentrickard: dmitrig01: actually, I found them to be easy; just return arrays -- the trick is knwoing what your arrays mean
[11:16am] Michelle: I'm not sure how soon I need it.. This work I'm doing is really vague. Not real good specs, no discussion of the businessy stuff, loose deadline. High possibility of getting burned on the money part but I'm learning a ton so it's ok
[11:16am] dmitrig01: heh exactly
[11:17am] ben-agaric: yup, dmitrig01, that's why I'm hoping agentrickard is right, and we can just make a helper module for nodeaccess for Michelle.
[11:17am] Michelle: This would actually be a kind of cool module, having the ability to give any node with a userreference field on it access to that user
[11:17am] agentrickard: Michelle: I just worked out all this stuff for Domain Access
[11:17am] agentrickard: Michelle: even more abstract, you really want the ability to assign multiple authors to a node
[11:17am] Michelle: This is my first trip into node access so I'm a bit bewildered. Will need to do lots of reading
[11:17am] Michelle: agentrickard - Yeah, that's pretty much it
[11:17am] agentrickard: a Node Authors module could do that, then your cck field just hooks into it
[11:18am] ben-agaric: is there a node authors module?
[11:18am] agentrickard: dunno
[11:18am] agentrickard: should be
[11:18am] Michelle: The idea is this: A user wants to request something from another user. They click a link on the profile of the user which prefills in a userreference field and enter their request. Both the requester and the requestee should have total access to the node but no one else, except admins, should even be able to view it
[11:18am] lsblakk joined the chat room.
[11:18am] ben-agaric: yup!
[11:19am] NikLP left the chat room. ("ChatZilla 0.9.78.1 [Firefox 2.0.0.9/2007102514]")
[11:19am] agentrickard: Michelle: you could also lean on the Node Access module and pass it values via drupal_execute, I think
[11:20am] ben-agaric: if it's built well probably a function even more direct than using drupal_execute
[11:20am] • agentrickard looks at nodeaccess.module code
[11:21am] grndlvl left the chat room. ("This computer has gone to sleep")
[11:21am] Michelle: "shared access" might be a good general module name. You are sharing access to the node among one or more people
[11:21am] agentrickard: yes
[11:22am] agentrickard: well, nodeaccess.module doesn't really use the node_access hooks correctly
[11:22am] Michelle: I hadn't looked at the node access module... TBH, I didn't realize that _was_ a module.
[11:22am] Michelle: Oh... Heh... That's not good
[11:22am] agentrickard: it calls node_access_write_grants() directly, which is a no-no
[11:22am] grndlvl joined the chat room.
[11:23am] Michelle: PDD talks about hook_nde_access_records
[11:23am] Michelle: brb
[11:24am] agentrickard: excuse me, not a no-no, but only recommended for batch actions
[11:24am] Haza`` left the chat room. ("apula")
[11:26am] Michelle: Back. Sorry, hubby decided cleaning his office was terribly important right now so I'm trying to parent while doing this. Sigh
[11:27am] Michelle: Ok, I'm going to read these docs you pointed me at. ben-agaric - a module would be lovely if you are able but I'm going to keep learning in the mean time in case you're not and also because it's good for me to understand it

ben-agaric: Michele, agentrickard: you can count on me to do or help do a "node authors" module – configurable access rights for users attached by (also configurable) userreference fields in the next 2-3 weeks
[11:39am] • ben-agaric just realizes that this same request was made for World Social Forum 2008
[11:39am] agentrickard: great
[11:39am] Michelle: Hmm... I don't know if these guys are _that_ flexible, but it's still a good module in general. I've seen this asked for in -support more than once
[11:40am] ben-agaric: well it shouldn't be hard-- I know I've got the "choose a userreference field" figured out
[11:40am] ben-agaric: and the nodeaccess part is about as simple as nodeaccess gets
[11:40am] ben-agaric: so the question is do we make work with another module or implement it ourselves
[11:40am] _th00ry is now known as th00ry.
[11:41am] ben-agaric: which is the part I'm hoping agentrickard or you Michelle can answer
[11:41am] Michelle: I'm not sure I understand the question...
[11:41am] Michelle: You mean make that module you showed me work with other modules?
[11:42am] mfer joined the chat room.
[11:42am] agentrickard: ben-agaric: you could integrate it with nodeaccess.module I would bet -- but I hate chains of dependency
[11:43am] calebg left the chat room.
[11:43am] • ben-agaric wants automatic installation of dependencies, then I would love dependency
[11:44am] ben-agaric: the many small modules working together idea
[11:45am] Michelle: Chains of dependancy can really be a PITA. I needed to temporarily disable token once... Wow, that was hard
[11:46am] ben-agaric: ok, well drop me a line if a deadline nears / passes / another solution is found / a module that should be extended with this is found. I'll try to work on it soon. http://AgaricDesign.com/contact
[11:47am] Michelle: Gotta go again, sorry... Parenting

Resolution

Comments

Resources used in making

Resources used in making this module, which became the Userreference Module:
http://api.drupal.org/api/function/node_access_example_enable/5
http://api.drupal.org/api/function/hook_node_grants/5

And a lot of looking at my own Relativity Access module to see how I did it, and even more looking at the access-related functions in the node module.

Need met

Mitchell took the module over and committed it to Drupal.org: http://drupal.org/project/userreference_access

But someone else met the needs better: http://drupal.org/project/nodeaccess_userreference

Use case

Rather than having a single user, the initial poster, be considered the author of content, a major science collaboration site includes all userreference fields as authors of the content. Users in userreference fields should be able to use this content in the same way that the Drupal user author of a node can.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • You can use Markdown syntax to format and style the text. Also see Markdown Extra for tables, footnotes, and more.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <blockquote> <small> <h2> <h3> <h4> <h5> <h6> <sub> <sup> <p> <br> <strike> <table> <tr> <td> <thead> <th> <tbody> <tt> <output>
  • Lines and paragraphs break automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.