I have created a new role 'news contributor'.
I have created a new content type 'news'.
The 'news contributor' role has permissions enabled to view, revert, delete revisions.
However, this setting also gives them access to view, revert, delete revisions on ALL nodes.
How can i restrict node revisions on specific content types based on user role?
The 'news contributor' should only be able to tinker with revisions for the 'news' content type and nothing else.
At the moment they have access to revision any node which is undesirable.
Has anyone had this issue before and, how did you resolve it?
Thanks.
It appears that this is not possible in drupal core. To get around this is to disable core revision and use the Revisioning module instead. You can grant permission to a specific role to publish while other roles can have the ability to create revisions as this user pointed out: https://drupal.stackexchange.com/a/124385/32276
Related
I have created several pages in my drupal website and set permissions to each of the page depending upon the roles I have.
The problem is if I know the URL, I can access that page even though I am not a registered and authorized user.
This will be a problem if some random person/hacker plays around with the URLs and comes across a page that is supposed to be viewed by an authorized user.
I am new to Drupal and any help is appreciated.
If you correctly set the permissions it will restrict access based on roles regardless if they know the URL. Are you sure that when you are testing it you are actually signed into or using a role that doesn't have access to that page?
Drupal lets you set permissions for who can Create, Edit and Delete content types. You need a contributed module for setting who can 'View' permissions of individual pages/nodes.
Download Content Access from https://drupal.org/project/content_acces. After you install it and configure the default values for the content type, you will need to click the content access tab after you create the page.
'Taxonomy Access Control Lite' is very light and more user-friendly; permissions are set within the edit view (normal fields), however, it takes some effort to understand how it works and to set it up.
See a comprehensive list of node access modules at https://drupal.org/node/270000
Tip: Don't use more than one module for node access permissions.
I would like specific nodes to only be available to authenticated users in drupal 7. Most modules that I have seen are still in development.
Effectively I need to create a few members only pages. Basically any content in this node cannot be accessed is visitor is not logged in
I would probably go ahead and use the node access module even though it's in dev. The warnings are mostly the author trying to say he doesn't want to be held responsible.
Otherwise you'll need to manually do it by implementing hook_node_access in a custom module
The Node Option Premium module might do what you want.
This module adds a new node option Premium content along with core publishing options (Published, Promoted to front page, Sticky at top of lists).
When a node is published as premium content, only users with proper privileges may view the full content of the node.
Non-premium users can still access premium nodes but only get the content rendered in teaser context, even when trying to view the full content. An additional message informs them that the content is available to premium users only.
According to the documentation at http://drupal.org/node/1106606 "By enabling 'View own unpublished content', you grant users access to their own unpublished content." Great, but then how can a user with that permission actually find her own unpublished content?
I have a Drupal 7 site and I created a user, then gave 'Content Editor' and 'Blogger' roles to it. I checked the permissions and those roles have 'View own unpublished content' set. Along with permissions such as 'View the administrative dashboard'. Please see the following screen shots:
http://www.flickr.com/photos/64416865#N00/5736169925/
http://www.flickr.com/photos/64416865#N00/5736720168/
However the user that has only 'Content Editor' + 'Blogger' roles cannot see any link on which she can click to see her unpublished content. I can log in as an administrator, then I see the administrative overlay, I can see the 'Find content' link on top, I can visit /admin/content. But that other user cannot see that administrative overlay and when tries to visit /admin/content she receives "Access denied You are not authorized to access this page." message.
Am I missing some permissions? Or did I forget some other thing? How can a non-admin user with 'View own unpublished content' permission set actually see the list of her unpublished content items?
UPDATE: Based on some suggestions and realising the security implications of my first solution I undid it, installed the Views and created a view which shows unpublished blog entries filtered by author = current user. I think this is much more compatible with the 'Drupal way'.
Apparently one also needs to set 'Access the content overview page' permission! So that the user can access admin/content.
Drupal doesn't create a list of unpublished content by default; therefore, there is no such listing. If you don't want to give admin permissions to the content listing for your Content Editor and Blogger users, you can try creating a View to list all the user's unpublished content and make the view available to the user so that he/she can see the list.
How do I set content permission so that specific nodes are only visible to the admin user, while other nodes of the same content type may be visible by all users.
D6: Go to admin/user/permissions and make sure access content is unchecked for all roles.
D7: Go to admin/people/permissions and make sure View published content is unchecked for all roles other than Administrator
Best way would be to use Content Access module as it provides admin/structure/types/manage/content-type/access page to manage permissions.
There you can check PER CONTENT NODE ACCESS CONTROL SETTINGS to enable content level permission for different nodes of same content type.
Now you can go to node/node-id/access page to provide permission for particular node and only assign view any content permission to admin user.
If you don't want to go to the trouble of installing a new module you could just unpublish the content, then only administrators will be able to view it
Is there a way to have a content type that is only viewable to admins AND the person who created it, including comments? I feel like I know the answer to this but its escaping me.
Try the Nodeaccess module. Some more details about this module (from its project page):
Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. Users with the 'grant node permissions' permission will have a grant tab on node pages which allows them to grant access to that node by user or role. Administrators can set default access controls per content type, and also define which roles are available to grant permissions to on the node grants tab.
The upshot is, this module allows you to do things like 'node 123 can be viewed by authenticated users and edited by admin users and joeuser'. As an added bonus, update and delete permissions are separated, so you can make sure users with edit permissions cannot accidentally delete pages.
If the content type is defined by your own module, you can use hook_access to do this.
If the content type is defined by CCK or another module, things are a bit trickier. You can install a patch that adds an access op to hook_nodeapi, but unfortunately that's a hack to the core Drupal code, with all the potential upgrade pitfalls that ensue.