I am running a Drupal 7 site, and I need to allow users to view unpublished nodes, I did check the "Bypass content access control" in permissions page for both authenticated and anonymous users, but instead of "Access denied" I keep getting "The page isn't redirecting properly", while debugging the site with NetBeans, I did notice it goes into infinite loop when visiting that URL.
Any modules/hooks you suggest me using, that'll be great.
The module views unpublished allows you to grant access for specific user roles to view unpublished nodes of a specific type. Access control is quite granular in this regard. Additionally, using this module does not require any modifications to your existing URL structure.
Related
I have created several pages in my drupal website and set permissions to each of the page depending upon the roles I have.
The problem is if I know the URL, I can access that page even though I am not a registered and authorized user.
This will be a problem if some random person/hacker plays around with the URLs and comes across a page that is supposed to be viewed by an authorized user.
I am new to Drupal and any help is appreciated.
If you correctly set the permissions it will restrict access based on roles regardless if they know the URL. Are you sure that when you are testing it you are actually signed into or using a role that doesn't have access to that page?
Drupal lets you set permissions for who can Create, Edit and Delete content types. You need a contributed module for setting who can 'View' permissions of individual pages/nodes.
Download Content Access from https://drupal.org/project/content_acces. After you install it and configure the default values for the content type, you will need to click the content access tab after you create the page.
'Taxonomy Access Control Lite' is very light and more user-friendly; permissions are set within the edit view (normal fields), however, it takes some effort to understand how it works and to set it up.
See a comprehensive list of node access modules at https://drupal.org/node/270000
Tip: Don't use more than one module for node access permissions.
I am using the question module on my Drupal 7.x website and I want some specific people to answer that.
Node_invite and rsvp modules only have a 6.x version.
You can use the Node Access Password or the Access Links modules. These allow for node access by using a password and a path alias respectively.
Notice that you should uncheck the permission of "View published content" from all kind of user roles and of course from anonymous users.
django 1.5.1
django cms 2.4.2
i am just learning django-cms and am working on my first test site. I searched this site and googled for these questions but can't find any answers which is why I am posting here.... Any help would be appreciated!
Through the admin page (as superuser) i added a group with permission to add/change/delete pages in addition to other permissions.
I create a user and assign the user to this group.
First of all, if i don't specify that user as staff then they can't access the admin site to login to begin with - this just doesn't make sense to me: what's the point of a user who never has the option to log in? Or is there something I'm missing - is there another way to log in besides the admin site itself.
Second, after marking that user as staff, and keeping in mind that the user is a member of group with permission to add/edit/delete pages, when the user logs in he can perform other admin tasks that he was given permissions for but still can't add/edit/delete pages. Although pages shows up as an object there is no link to the page list.
The Staff setting is to differentiate between users who are allowed to access the Django admin and users who aren't i.e. regular users who have signed up to your website via a registration form.
I had the same problem as you creating a new non-superuser user and not being able to add or edit pages as that user. It turned out that I needed to set CMS_PERMISSION = False in my settings.py.
If CMS_PERMISSION == True, you get a more fine-grained permissions framework where each page has its own list of users who are allowed to view and edit it, so permission to edit is done on a page-by-page basis (unless you're a superuser). If you don't need that functionality, I suggest you turn it off.
If you do want the more fine-grained permissions system, but you also want some users to be able to edit any page on the site, log in to django admin as a superuser and look at Cms -> Pages global permissions. From there you can give blanket edit rights to any user or group.
On my site a authorized user can create a content type called protocol. This can be saved as either published or unpublished by the user. I want to make a page containing a view called "My protocols" where the current user can go and view all the protocols which they are the author of, published and unpublished.
To do this I created the view "My protocols" with the Views module, which shows the protocols in an unformated list of teasers. I use the filters "Content: Type(=protocol)" and "(author) User:Current(Yes)". And for page settings I have :
Path:/my-protocols
Menu:Normal: My protocols
Access:Permission | View own unpublished content
I've tried varying the Access part with no succes.
And under people>permissions I have set to allow authorized users to: "View own unpublished content" and "Access content overview page" (and other stuff offcourse, but these the ones I taught might be related to my problem with Views)
When I try looking at the "My protocols" view logged in as a authorized user I can't get it to show unpublished content, and I have checked that this users has created content of the type protocol which is both published and unpublished. But when looking at the page when logged in as an administrator I see both published and unpublished content.
Is it for some reason not possible to do what I want to do? Or have I forgotten something? Or do I need to install some further module to do it?
I think this is because views uses the node_access table to check node access rights, but unpublished nodes are removed from the node_access table. You may try disabling "SQL rewriting" in the "Query settings" of the view, under the "Advanced" section. Not sure if that is the solution though.
Is there a way to have a content type that is only viewable to admins AND the person who created it, including comments? I feel like I know the answer to this but its escaping me.
Try the Nodeaccess module. Some more details about this module (from its project page):
Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. Users with the 'grant node permissions' permission will have a grant tab on node pages which allows them to grant access to that node by user or role. Administrators can set default access controls per content type, and also define which roles are available to grant permissions to on the node grants tab.
The upshot is, this module allows you to do things like 'node 123 can be viewed by authenticated users and edited by admin users and joeuser'. As an added bonus, update and delete permissions are separated, so you can make sure users with edit permissions cannot accidentally delete pages.
If the content type is defined by your own module, you can use hook_access to do this.
If the content type is defined by CCK or another module, things are a bit trickier. You can install a patch that adds an access op to hook_nodeapi, but unfortunately that's a hack to the core Drupal code, with all the potential upgrade pitfalls that ensue.