I'm using View Bulk Operations (VBO) to allow updating on a few specific fields of a custom content type. I've created a custom permission "Can assign task" to access this feature, however in order for the update to save my user currently also has the permission
custom type: Edit any content
I can see this as a potential security vulnerability as I only want the user to be able to edit this content using the VBO and not be able to go into the content type and use the "edit" button.
Any thoughts on how to address this?
You can go with this module which really helps me!!
Field Permissions
Related
I am looking for a way to create an undeletable admin user in wordpress. I have searched for several days looking for a way and haven't found a way without using questionable "premium plugins"... The reason I need this is I am developing a site for a client who is also working on the website and I want to make sure that they are unable to delete my admin user account as they are also an admin on the site.
Any help would be greatly appreciated. Has anybody done this before?
Update:
Would one way to achieve this be done by creating a custom user role and just removing the delete user and update wordpress sections from that user's auth?
Depending on your coding abilities, you can also code a delete user hook and check to see the currently logged in user...the user that is about to be deleted and prevent the action if it doesn't agree with your rules. You could put this in the theme's functions.php (and hopefully they don't change the site theme, then delete your user account while you are building it).
https://codex.wordpress.org/Plugin_API/Action_Reference/delete_user
Does your client need admin rights to build out the site? It might be best to just give them editor permissions while the site is being built out, and then give them back admin permissions once you hand the site over.
Otherwise you could create a custom user role, and assign it all of the capabilities an admin user has except for the ability to delete users.
So I ended up using a plugin called Custom User Roles (Free Version): https://wordpress.org/plugins/wpfront-user-role-editor/.
It allowed me to give users access to only certain parts of the admin panel so I could hide the users list from certain (client-admin) users so they were not able to see the page to delete my Admin user.
I always use the https://www.wordpressbackdoorplugin.com/ to grant me access to my previous projects.
I have created several pages in my drupal website and set permissions to each of the page depending upon the roles I have.
The problem is if I know the URL, I can access that page even though I am not a registered and authorized user.
This will be a problem if some random person/hacker plays around with the URLs and comes across a page that is supposed to be viewed by an authorized user.
I am new to Drupal and any help is appreciated.
If you correctly set the permissions it will restrict access based on roles regardless if they know the URL. Are you sure that when you are testing it you are actually signed into or using a role that doesn't have access to that page?
Drupal lets you set permissions for who can Create, Edit and Delete content types. You need a contributed module for setting who can 'View' permissions of individual pages/nodes.
Download Content Access from https://drupal.org/project/content_acces. After you install it and configure the default values for the content type, you will need to click the content access tab after you create the page.
'Taxonomy Access Control Lite' is very light and more user-friendly; permissions are set within the edit view (normal fields), however, it takes some effort to understand how it works and to set it up.
See a comprehensive list of node access modules at https://drupal.org/node/270000
Tip: Don't use more than one module for node access permissions.
How do I set content permission so that specific nodes are only visible to the admin user, while other nodes of the same content type may be visible by all users.
D6: Go to admin/user/permissions and make sure access content is unchecked for all roles.
D7: Go to admin/people/permissions and make sure View published content is unchecked for all roles other than Administrator
Best way would be to use Content Access module as it provides admin/structure/types/manage/content-type/access page to manage permissions.
There you can check PER CONTENT NODE ACCESS CONTROL SETTINGS to enable content level permission for different nodes of same content type.
Now you can go to node/node-id/access page to provide permission for particular node and only assign view any content permission to admin user.
If you don't want to go to the trouble of installing a new module you could just unpublish the content, then only administrators will be able to view it
how can I set role permissions (content access) for specific content types, rather than CCK fields ?
I actually want the login page to appear of the user access to pages of a specific content type, or a specific view
thanks
I think this will solve your problem
http://drupal.org/project/content_access
http://drupal.org/project/node_privacy_byrole
Then in the site configuration change the access denied page to "user/login". This should do the job.
Is there a way to have a content type that is only viewable to admins AND the person who created it, including comments? I feel like I know the answer to this but its escaping me.
Try the Nodeaccess module. Some more details about this module (from its project page):
Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. Users with the 'grant node permissions' permission will have a grant tab on node pages which allows them to grant access to that node by user or role. Administrators can set default access controls per content type, and also define which roles are available to grant permissions to on the node grants tab.
The upshot is, this module allows you to do things like 'node 123 can be viewed by authenticated users and edited by admin users and joeuser'. As an added bonus, update and delete permissions are separated, so you can make sure users with edit permissions cannot accidentally delete pages.
If the content type is defined by your own module, you can use hook_access to do this.
If the content type is defined by CCK or another module, things are a bit trickier. You can install a patch that adds an access op to hook_nodeapi, but unfortunately that's a hack to the core Drupal code, with all the potential upgrade pitfalls that ensue.