Access control via (and on) taxonomy terms #823
Comments
|
This sounds super-useful! Might there be some overlap with other authZ needs? E.g. if I define a collection via a property value ("All resources with |
|
Not sure, but assuming we can sync taxonomy terms with properties, I could imagine a Context that checks for the taxonomy term equivalent of |
|
Sorry, I was imagining that
that kind of thing. And since we at SI have no intention of using PCDM for anything (I don't think any site that isn't a library would want to do that) I'm imagining a collection (in the generic sense, not the library sense, maybe better to use the word "class") that just is all things with (say) |
|
@ajs6f As long as you are not looking for any As of the recent change to modelling in Drupal I think only @dannylamb can say for sure whether this is already on the radar. |
|
OK, thanks. Taxonomy terms can have URIs as internal (to Drupal) IDs, so if I am understanding your example, you could add all your researcher's ORCHiDs as a taxonomy and apply them to nodes (and then, via Views, get an instant listing of all of a researcher's works). But to Drupal they are still just standard taxonomy terms, which can in fact be used to control access and pretty much anything else you can implement using either existing contributed modules (in fact the one that I mention in the initial issue above does just that) or via Context. @dannylamb has had a lot more experience in the CLAW context (ha, no pun intended) with using taxonomies, as evidenced during his demo last week. He may want to weigh in on this, but I think that the answer to your initial question above is 'yes'. In fact, we currently use taxonomies in a Fedoraless-Drupal 6 site (our institutional repository) to define what are the equivalent of "collections" in Islandora 7.x, and to define who may add members to them and who may view their members. Each collection is a single taxonomy term, with child collections being child terms. |
|
Damit ninjad by @whikloj |
|
I don't think https://www.drupal.org/project/permissions_by_term is going to be suitable. Permissions are set at the term level, not the taxonomy level, in the term CRUD form. Help text: "To limit access to this term by user(s) or role(s), select users or roles above. If left empty, all users will have access to content, related to this taxonomy term and this taxonomy term itself." My tests confirm that if a term is restricted to a role (didn't test specific users, but that's also an option), then only users of that role can assign the term to content, and only users of that role can access that content. This means that we can't use this module to restrict who can assign terms without restricting who can access content with those terms. Will move on to other taxonomy ACL modules. |
|
But.... since taxonomies are linked to entities as fields, we can use https://www.drupal.org/project/field_permissions to control what roles can assign terms from specific taxonomies at the taxonomy level. Granularity of permissions this module provides are:
So, as is often the case in Drupal, a combination of contrib modules solves the problem(s). The problems here being:
|
|
As per the CLAW call on May 2, I have created structured use cases. |
|
Have other approaches besides taxonomies been considered for access control? The ACL module coupled with the Content Access module seems to be a potential approach. Both have ports (alpha at the moment) to Drupal 8. |
|
@dmoses here's a list of issues relating to access control (there might be others):
Given the discussion over at #888, we might want to review these issues/use cases and document the various ways the Drupal 8 will let us control who sees and manages what. Not sure of the best mechanism for this review is at the moment however. |
|
Relevant blog post listing a variety of ways to control access to Drupal 8 content: https://www.optasy.com/blog/how-do-you-restrict-access-content-drupal-8-6-modules-will-do-job-you. |
|
We need to test controlling access to media/files using tags, for example terms from the Media Use vocabulary. |
|
I installed and enabled the Permissions by Term module and its submodule Permissions by Entity (which is needed to provide access control by term to Media) and they appear to work as expected. By configuring specific taxonomy terms, I was able to restrict access to authenticated users to the node, media (using direct URL to media) and the media's file (using direct URL to file). Not tested, but this should work with any role and even individual users. |
|
This is tested and working with |
Given the importance of taxonomies in CLAW, we need to be able to control access to content that has particular terms applied to it and also to the ability to assign the terms themselves. Looks like https://www.drupal.org/project/permissions_by_term is the best contrib module to allow those things. I will test and report back here.
The text was updated successfully, but these errors were encountered: