In another tutorial this week, we talked about a major hole in Drupal's permissions system.
The hole is that Drupal allows you to control who can create, edit and delete content but not who can view it.
Because this problem impacts a lot of sites, there are a lot of available solutions. In that other tutorial, we recommended the Content Access module. In this tutorial, we're going to recommend the Taxonomy Access Control module.
What's the difference?
- Content Access works best if your user roles closely match your content types.
- Taxonomy Access Control works best if you have a more complicated permissions system and one that doesn't closely match your content types.
Using the Taxonomy Access Control Module
Here's the example we're going to use in this tutorial.
- On this screen we have 5 content items, all of the same content type.
- Each content item is tagged with the appropriate state. For example, San Francisco is tagged with "California".
- We want to deny anonymous users the ability to view items from some states.
- Install and enable Taxonomy Access Control: http://drupal.org/project/taxonomy_access
- Install the Taxonomy Access Control module: http://drupal.org/project/taxonomy_access
- Enable the module.
- Click the Rebuild permissions button.
- You'll see a message saying, The content access permissions have been rebuilt.
- Go to Configuration > Taxonomy Access Control.
- You'll see that you have options for each user role. Click "edit access" rules next to anonymous user.
You'll now see the main Taxonomy Access Control page. Here's how to understand the page:
- You add the tags on the left.
- You look for the permissions across the top.
First, let's add the tags:
- Under New, choose a tag.
- Click Add.
- Repeat until you've chosen all the tags that you want to control access for.
Now let's look across the top of the page:
Here are 5 new permissions that Drupal doesn't have by default:
- View: can the user see nodes with this term?
- Update: can the user edit node with this term?
- Delete: can the user delete nodes with this term?
- Add: can the user add this term to a node?
- View: can the user see the term when looking at a node?
Now that we've seen both the left and the top of the page, we can start to apply permissions.
For each permssion, you choose the setting for each tag. Here's what the labels A, I, D mean:
- A: people in this user role (in this case, anonymous) have this permission (in this case, View)
- I: people in this user role have the same permissions as the default setting above
- D: people in this user role do not have this permission.
So, if we the permissions as in the image below, anonymous users can view content tagged with Texas and Washington but they can't view content tagged with California or Georgia.
Look back up to the image at the start of this tutorial. Here's how that screen now appears to anonymous users.