views:

348

answers:

1

I am building a DMS for our intranet and use a taxonomy hierarchy because we need access control that way. All company locations manage (upload,edit) their own documents but should be able to access all. This is inherited to the child terms and works fine.

Additionally we want simple 3-step workflow (draft,published,archived). So i introduced roles for editor, publisher and docadmin and set permissions for the transitions. Also triggers to effectivly (un)publish documents.

But (of course) a user of role publisher can do the transition for ALL documents. But we want publisher for each company location (top taxonomy level, see above).

Could this be achieved? Do i have to set it up by myself (i guess "rules" is appropriate to do this) or is there another module helping.

role inheritance was a guess, but that is only about roles (naturally). "module grants" i use and checked first option. That way my thoughts are going. I hope you get my idea resp. problem.

drupal 6.16 current

edit: I reread the docs and found ie. http://drupal.org/node/408018 Revisioning for categorized content. Will reread that.

A: 

It seems you're running into a know issue in Drupal 6's node access api. Grants only work as an approval, so if any access module says a user can perform an action no other module can take it away. The only other solution I can think of would be a mash of the modules to calculate based on both criteria, obviously a potentially complex task.

Certainly not recommended, but you could apply your own logic to scan the grants tables to remove entries for users that don't match up with both criteria. You would have to find the right hook to have it perform its work after both other modules have calculated their values and saved them to the database.

Good news: this is fixed in D7. Bad news: D7 will be a while. Drupal 7 will allow modules to approve, deny, or abstain from node access decisions. As such, your taxonomy module could say the users are approved for these terms, denied for others. As well, workflow could approve for some stages and deny for others. A user would require at least one approval and no denials.

GApple
just want to add a thx for explaining. Looking forward for D7... refactored permission system.Meanwhile we get along for our needs
groovehunter

related questions