You are here

README.txt in Module Grants 6.4

Same filename and directory in other branches
  1. 6 README.txt
  2. 6.3 README.txt
  3. 7 README.txt
DESCRIPTION
===========
This module gets around two quirks in the 6.x core Node module.
Currently the Node module:
- causes access grants to be ignored for unpublished content;
- ORs together access grants coming from multiple modules; this results
  in content being made accessible by one module when access had already
  been restricted by another, which is undesirable in most cases.

The module ensures that access grants are tested for unpublished content just
as they are for published content, so that using the Workflow module (or any
other module that uses the node_access table) you can implement workflows that
deal effectively with content moving from author via moderator to publisher 
BEFORE it is published (which is where it's needed most, once content is 
visible for all to see, it's a bit late to start a publication workflow
process!).
Using Taxonomy Access Control (or -Lite) you can restrict access to content
to user-defined "vocabularies" such as departments or regions. With Module
Grants this will work for unpublished content just as it does for published
content.
Moreover when Workflow and TAC or (TAC-Lite) are used together this module
makes sure that the combination exhibits the expected behaviour: access is
granted to content only when it is in the correct state AND of the appropriate
vocabulary "term" (such as department, country, etc.).
The module_grants module achieves this by AND-ing rather than OR-ing the grants.

Module Grants comes bundled with Module Grants Monitor (optional), which
provides users with a new menu item, "Accessible Content" that shows a list of
all content accessible to the logged-in user based on the permissions and
access grants as determined by enabled modules. This list may be filtered using
a double row of tabs residing at the top of the page, see point 3a below.

INSTALLATION AND CONFIGURATION
==============================
1. Place the "module_grants" folder in your "sites/all/modules" directory.
2. Under Administer >> Site building >> Modules, enable Module Grants and
   optionally Module Grants Monitor (recommended).
3a Visit Administer >> User management >> Permissions. Make sure that roles
   that are meant to be able to view unpublished and not yet published content
   have one of the following permissions:
   o "view revisions" (section "node module"), or
   o "view any|all <content-type> content" (section "revisioning module", if
   Revisioning installed).
   Make sure that the role of anonymous user does NOT have any of the above
   permissions.
3b There's usually no need to tick "administer nodes" for any role, which is
   good because "administer nodes" equates to almost god-like powers that you
   wouldn't normally give to normal users.
4. If required, install and enable as many modules for content access control
   as you need for your situation. Typical examples are Taxonomy Access Control
   (or use TAC Lite) and Workflow.
5. Optional, but highly recommended, especially when using Revisioning. Under
   Administer >> User management >> Permissions, section "module_grants_monitor
   module" select for each role which filtering tab they will get to use. The
   permissions, which are in alphabetical rahter than logical order, relate to
   two rows of tabs that appear on the 'Accessible content' page.
   The first row of up to 4 tabs filter content the logged-in user
     created,
     modified, 
     can edit,
     can view
   The second row of up to 3 tabs further filter content according to it being
     published,
     unpublished (includes previously published as well as not yet published)
     either ("all", that is: no additional filtering)

   NOTE 1: you must tick at least one permission box for each of the 2 rows
   NOTE 2: these tick boxes only determine whether the role in question gets
   to see the tabs, they do not in any way affect access to content. So in
   that sense you can safely tick any or all of the tab boxes for all
   authenticated users. However you may not want to confuse certain roles
   with too many tabs and too much output.

USAGE
=====
Module Grants Monitor creates a new navigation menu item, 'Accessible content'
visible to the administrator and to roles to which the administrator granted
access as per the above section, point 5. The content shown under 'Accessible
content' reflects the access grants given by modules installed on your system
to the current user.

You can use Module Grants in combination with TAC or TAC-Lite for fine-grained
access control based on vocabularies (such as "department") assigned to the
various content types. You can then create department-specific roles (eg
Sports Author, Music Author) and enforce that these roles can only access
content belonging to their departments, whether it's published or not.
Create your grants "schemes" on this page: Administer >> User management >>
Access control by taxonmy.
In addition you may want to install the Workflow module to further segragate
roles (eg author and moderator) via access control based on states such as
"in draft", "in review" and "published". See Administer >> Site building >>
Workflow.
The module makes sure that access to content is given only when BOTH the
TAC (Lite) and the Workflow Access modules grant it (as opposed to one OR
the other).

This module also works well with the Revisioning module for creating effective
publication workflows operating on published as well as unpublished content
revisions. 
See the Revisioning project page at http://drupal.org/project/revisioning
for three step-by-step tutorials.

Be aware that any permissions given in the "node module" section override the
access grants given by the Workflow and TAC-Lite modules, so you probably only
want to assign a few creation permissions in the node module and grant 
view, update and delete via TAC/TAC-Lite and/or Workflow.

Additional configuration options are found at Administer >> Site configuration
>> Module Grants.

API
===
Module Grants features one hook, hook_user_node_access($revision_op, $node),
which module developers may implement to alter or add to the behaviour of
Module Grants as it determines whether access to a supplied node or revision
should be granted using the requested operation.
See the comments at the top of the module_grants.module file.

AUTHOR
======
Rik de Boer, Melbourne, Australia.

File

README.txt
View source
  1. DESCRIPTION
  2. ===========
  3. This module gets around two quirks in the 6.x core Node module.
  4. Currently the Node module:
  5. - causes access grants to be ignored for unpublished content;
  6. - ORs together access grants coming from multiple modules; this results
  7. in content being made accessible by one module when access had already
  8. been restricted by another, which is undesirable in most cases.
  9. The module ensures that access grants are tested for unpublished content just
  10. as they are for published content, so that using the Workflow module (or any
  11. other module that uses the node_access table) you can implement workflows that
  12. deal effectively with content moving from author via moderator to publisher
  13. BEFORE it is published (which is where it's needed most, once content is
  14. visible for all to see, it's a bit late to start a publication workflow
  15. process!).
  16. Using Taxonomy Access Control (or -Lite) you can restrict access to content
  17. to user-defined "vocabularies" such as departments or regions. With Module
  18. Grants this will work for unpublished content just as it does for published
  19. content.
  20. Moreover when Workflow and TAC or (TAC-Lite) are used together this module
  21. makes sure that the combination exhibits the expected behaviour: access is
  22. granted to content only when it is in the correct state AND of the appropriate
  23. vocabulary "term" (such as department, country, etc.).
  24. The module_grants module achieves this by AND-ing rather than OR-ing the grants.
  25. Module Grants comes bundled with Module Grants Monitor (optional), which
  26. provides users with a new menu item, "Accessible Content" that shows a list of
  27. all content accessible to the logged-in user based on the permissions and
  28. access grants as determined by enabled modules. This list may be filtered using
  29. a double row of tabs residing at the top of the page, see point 3a below.
  30. INSTALLATION AND CONFIGURATION
  31. ==============================
  32. 1. Place the "module_grants" folder in your "sites/all/modules" directory.
  33. 2. Under Administer >> Site building >> Modules, enable Module Grants and
  34. optionally Module Grants Monitor (recommended).
  35. 3a Visit Administer >> User management >> Permissions. Make sure that roles
  36. that are meant to be able to view unpublished and not yet published content
  37. have one of the following permissions:
  38. o "view revisions" (section "node module"), or
  39. o "view any|all content" (section "revisioning module", if
  40. Revisioning installed).
  41. Make sure that the role of anonymous user does NOT have any of the above
  42. permissions.
  43. 3b There's usually no need to tick "administer nodes" for any role, which is
  44. good because "administer nodes" equates to almost god-like powers that you
  45. wouldn't normally give to normal users.
  46. 4. If required, install and enable as many modules for content access control
  47. as you need for your situation. Typical examples are Taxonomy Access Control
  48. (or use TAC Lite) and Workflow.
  49. 5. Optional, but highly recommended, especially when using Revisioning. Under
  50. Administer >> User management >> Permissions, section "module_grants_monitor
  51. module" select for each role which filtering tab they will get to use. The
  52. permissions, which are in alphabetical rahter than logical order, relate to
  53. two rows of tabs that appear on the 'Accessible content' page.
  54. The first row of up to 4 tabs filter content the logged-in user
  55. created,
  56. modified,
  57. can edit,
  58. can view
  59. The second row of up to 3 tabs further filter content according to it being
  60. published,
  61. unpublished (includes previously published as well as not yet published)
  62. either ("all", that is: no additional filtering)
  63. NOTE 1: you must tick at least one permission box for each of the 2 rows
  64. NOTE 2: these tick boxes only determine whether the role in question gets
  65. to see the tabs, they do not in any way affect access to content. So in
  66. that sense you can safely tick any or all of the tab boxes for all
  67. authenticated users. However you may not want to confuse certain roles
  68. with too many tabs and too much output.
  69. USAGE
  70. =====
  71. Module Grants Monitor creates a new navigation menu item, 'Accessible content'
  72. visible to the administrator and to roles to which the administrator granted
  73. access as per the above section, point 5. The content shown under 'Accessible
  74. content' reflects the access grants given by modules installed on your system
  75. to the current user.
  76. You can use Module Grants in combination with TAC or TAC-Lite for fine-grained
  77. access control based on vocabularies (such as "department") assigned to the
  78. various content types. You can then create department-specific roles (eg
  79. Sports Author, Music Author) and enforce that these roles can only access
  80. content belonging to their departments, whether it's published or not.
  81. Create your grants "schemes" on this page: Administer >> User management >>
  82. Access control by taxonmy.
  83. In addition you may want to install the Workflow module to further segragate
  84. roles (eg author and moderator) via access control based on states such as
  85. "in draft", "in review" and "published". See Administer >> Site building >>
  86. Workflow.
  87. The module makes sure that access to content is given only when BOTH the
  88. TAC (Lite) and the Workflow Access modules grant it (as opposed to one OR
  89. the other).
  90. This module also works well with the Revisioning module for creating effective
  91. publication workflows operating on published as well as unpublished content
  92. revisions.
  93. See the Revisioning project page at http://drupal.org/project/revisioning
  94. for three step-by-step tutorials.
  95. Be aware that any permissions given in the "node module" section override the
  96. access grants given by the Workflow and TAC-Lite modules, so you probably only
  97. want to assign a few creation permissions in the node module and grant
  98. view, update and delete via TAC/TAC-Lite and/or Workflow.
  99. Additional configuration options are found at Administer >> Site configuration
  100. >> Module Grants.
  101. API
  102. ===
  103. Module Grants features one hook, hook_user_node_access($revision_op, $node),
  104. which module developers may implement to alter or add to the behaviour of
  105. Module Grants as it determines whether access to a supplied node or revision
  106. should be granted using the requested operation.
  107. See the comments at the top of the module_grants.module file.
  108. AUTHOR
  109. ======
  110. Rik de Boer, Melbourne, Australia.