We are evaluating Drupal as an enterprise CMS and need some help/recommendations for the following features.
Multi Step Approval Workflows with reassignments
PDF files in the media library requires authentication to view/download - Does drupal have any security features that does not allow anonymous access to media files?
Does Drupal support Roles, User Groups and security groups? We are looking to restrict users from certain areas of the website and CMS based on group and role permissions.
I understand that Drupal is modular by design so there are lots of modules available that does similar things or these functions available in Core?
Appreciate any advise/experience that members can share.
Thank you.
Drupal can do all these things.
Multi Step Approval Workflows with reassignments
There is the Workbench moderation module, but also now in Drupal core as of 8.4, the Content moderation system is available. You might need to do some research on how content review might be assigned to a specific user.
PDF files in the media library requires authentication to view/download - Does drupal have any security features that does not allow anonymous access to media files?
Yes, Drupal has a private file system available in core. You need to set this up when you are setting up the file fields initially, because converting from a public to private file system is a bit of a messy process (I literally just did it a couple months ago for a project). It you can store files in a directory outside of your webroot, and the user will request a path like /file/system/1234, and all appropriate access checks are made. You might need to set up some additional permissions to have these access checks respect things like "groups" or any other access rules that you want to implement.
Does Drupal support Roles, User Groups and security groups? We are looking to restrict users from certain areas of the website and CMS based on group and role permissions.
Yes! "Roles" are available out of the box in Drupal. You can define as many roles as you like, and apply permissions to each role.
There is a module called "Organic Groups" which provides the group functionality. You can restrict content access to group members as well. You can even define roles within a group, so different users can manage the group.
Related
Currently, we are running 2 web pages based on WordPress, custom application built in JS (Hapi, Angular, Mongo), as well as self-hosted GitLab repository and hosting based on ISP Config. Currently, user which want to use more than 1 service is forced to create multiple accounts.
What would be the best approach to centralize it assuming that we want:
a user to use same credentials on each page
allow a user to log in using social login (Facebook, Google, Twitter) and still keep his single profile
centralize information about user services, usage and billing information (invoices)
We do not want overcomplicate the solution, therefore, we don't want to centralize access management and obtain them from centralized server, each page/service will maintain it's on it own (i.e. when user makes a purchase in on of the WP sites (woocommerce) wordpress itself will maintain order and we will write custom code to report sale to centralized system for billing purpose)
We are currently considering using LDAP or Kerberos, what would suit better?
Secondly - how to cover part regarding social login? I assume that we should still allow user register using OAuth2 and somehow synchronise the data between each service and centralized system. Is there another way?
Your desires [correct me if I'm wrong]:
You have two apps that are essentially separate things.
These apps can be served from a web page via HTTP, and either don't
have an auth system or need one revamped.
You want a centralized login system with social auth.
You have a single business entity.
You want a single, combined source of data for e-commerce.
You are essentially setting this up from scratch on the WordPress
backend side, there is no current mixed ecosystem of users.
My thoughts:
You DO NOT want LDAP or Kerberos. Those solutions are much too complex for this situation.
You want a SINGLE WordPress install. You can easily setup the backend to answer to multiple domains. In other words a single wordpress install can handle pages at "domain1.com" and "domain2.com" and render the pages with compleately different headers and text to make them APPEAR as two sites. There is no reason to maintain two separate lists of users, because you want a single system to login. Differentiate the users based on their business data, i.e. user1 has data "registered on SiteA", user2 had data "registered on SiteB" etc.
You can place your app into a WordPress page, then use is_user_logged_in() to firewall it behind WordPress. This is an industry standard method of auth and extremely secure if setup correctly. Or if it's a data api, you can place it as an endpoint and leverage the exact same auth system.
Any of the major social auth plugins that are popular in the free .org repo should work out the box with this method.
If you are going to associate blogging, that is, many "posts" about the products, and you want those blogs to be different ecosystems, with different sets of users, you are looking for WordPress Multi-Site. I don't think this is what you want. You don't sound like you are going to "blog". Or at least every page is going to be meticulously curated on these combined sites. So you're probably looking for just a single install to serve content to two domains. NOT MULTISITE.
You should use WooCommerce, simply because it is the most widely supported platform. Setup is 100% free.
You can easily serve pages that are branded totally differently, even in one install. For instance, one WordPress site can serve pages to two domains, and put different logos and headers on the top of the page to make them appear different. One physical machine can serve two domains.
Bottom line: You want a single WordPress setup on a single machine, serving two domains. The content and appearance on the domains can be different at will. Use any popular social auth plugins in the .org repo to firewall the apps.
I would like to display a list of available Moodle courses and available places for each of the corses on a Drupal site.
Is there a simple way of integrating Moodle and Drupal so that when a Max enrolled users is set in Moodle, the Drupal enrolment form witll display the number of available places, and disable the ability of users enrolling in to courses which have no places left?
There is authentication plugin available moodle-drupalservices for SSO between both systems
You can read more about it from module document
If you want to fetch detail of moodle courses in drupal then web service is the best way to achieve it, you just need to create web services client in drupal to consume moodle services
http://docs.moodle.org/dev/Category:Web_Services
use core_course_get_courses web service function don't need to pass any value to it, it will fetch all available courses detail from moodle.
There is a module for moodle integration in drupal - Moodle Connector. There are some other related module to which enhance the integration further like Commerce Moodle, which let you sell the course & you get drupal commerce to handle your selling..great right?
But if you are working in D6, then you will have to check another module Moodleconnect, but it's still in DEV version, so may be you will have to work on it.
https://www.drupal.org/project/issues/moodle_views will allow you to list courses using a Drupal View. This module doesn't (yet) allow you to display the places available, but if you still need this functionality I could probably add it relatively easily.
I use Drupal with CiviCRM for our nonprofit's public site and CRM database, and Open Atrium for the intranet. My goal is to either sync or share specific users from the public site to the intranet, to allow single sign-on.
However, only users who are part of a specific CiviCRM smart group (volunteers) should be shared/synced. I could use the module to sync CiviCRM groups with Drupal organic groups if that would make this task easier.
Any thoughts?
Usually, the Domain Access module is used for synching users and whatnot, but your requirement that only certain users be synched throws a wrench into that setup.
Therefore, I'd recommend that you either:
Sort through that module's documentation to see if it provides any hooks so that you can filter down the user list, and if not...
Just look at how that module does its heavy lifting and write a custom module to do the same but only with a limited set of users.
Actually, you can use Account Sync for this. (where only a sub-set of users is required.)
Just create a sync role and assign account sync permissions to that role only.
Use a server key to encrypt this as you would for XML-RPC.
http://drupal.org/project/account_sync
If Single Sign-On is your goal, Bakery provides single sign-on between multiple Drupal sites (including Drupal.org and other sites in the *.drupal.org network, something of a recommendation).
Worth checking out - while it does involve some additional setup / config, it doesn't mess with Drupal so much as some other options.
It does require that your sites are on the same base domain, and that they are on the same protocol (can't mix https://example.com with http://foo.example.com).
See Bakery documentation for further info.
Is there a way to have a content type that is only viewable to admins AND the person who created it, including comments? I feel like I know the answer to this but its escaping me.
Try the Nodeaccess module. Some more details about this module (from its project page):
Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. Users with the 'grant node permissions' permission will have a grant tab on node pages which allows them to grant access to that node by user or role. Administrators can set default access controls per content type, and also define which roles are available to grant permissions to on the node grants tab.
The upshot is, this module allows you to do things like 'node 123 can be viewed by authenticated users and edited by admin users and joeuser'. As an added bonus, update and delete permissions are separated, so you can make sure users with edit permissions cannot accidentally delete pages.
If the content type is defined by your own module, you can use hook_access to do this.
If the content type is defined by CCK or another module, things are a bit trickier. You can install a patch that adds an access op to hook_nodeapi, but unfortunately that's a hack to the core Drupal code, with all the potential upgrade pitfalls that ensue.
I am building a DMS for our intranet and use a taxonomy hierarchy because we need access control that way. All company locations manage (upload,edit) their own documents but should be able to access all. This is inherited to the child terms and works fine.
Additionally we want simple 3-step workflow (draft,published,archived). So i introduced roles for editor, publisher and docadmin and set permissions for the transitions. Also triggers to effectivly (un)publish documents.
But (of course) a user of role publisher can do the transition for ALL documents. But we want publisher for each company location (top taxonomy level, see above).
Could this be achieved? Do i have to set it up by myself (i guess "rules" is appropriate to do this) or is there another module helping.
role inheritance was a guess, but that is only about roles (naturally).
"module grants" i use and checked first option. That way my thoughts are going. I hope you get my idea resp. problem.
drupal 6.16 current
edit:
I reread the docs and found ie. http://drupal.org/node/408018 Revisioning for categorized content. Will reread that.
It seems you're running into a know issue in Drupal 6's node access api. Grants only work as an approval, so if any access module says a user can perform an action no other module can take it away. The only other solution I can think of would be a mash of the modules to calculate based on both criteria, obviously a potentially complex task.
Certainly not recommended, but you could apply your own logic to scan the grants tables to remove entries for users that don't match up with both criteria. You would have to find the right hook to have it perform its work after both other modules have calculated their values and saved them to the database.
Good news: this is fixed in D7. Bad news: D7 will be a while.
Drupal 7 will allow modules to approve, deny, or abstain from node access decisions. As such, your taxonomy module could say the users are approved for these terms, denied for others. As well, workflow could approve for some stages and deny for others. A user would require at least one approval and no denials.