tags:

views:

348

answers:

1
+1  Q: 

Drupal workflow action access integrated with taxonomy access control?

I am building a DMS for our intranet and use a taxonomy hierarchy because we need access control that way. All company locations manage (upload,edit) their own documents but should be able to access all. This is inherited to the child terms and works fine.

Additionally we want simple 3-step workflow (draft,published,archived). So i introduced roles for editor, publisher and docadmin and set permissions for the transitions. Also triggers to effectivly (un)publish documents.

But (of course) a user of role publisher can do the transition for ALL documents. But we want publisher for each company location (top taxonomy level, see above).

Could this be achieved? Do i have to set it up by myself (i guess "rules" is appropriate to do this) or is there another module helping.

role inheritance was a guess, but that is only about roles (naturally). "module grants" i use and checked first option. That way my thoughts are going. I hope you get my idea resp. problem.

drupal 6.16 current

edit: I reread the docs and found ie. http://drupal.org/node/408018 Revisioning for categorized content. Will reread that.

A: 

It seems you're running into a know issue in Drupal 6's node access api. Grants only work as an approval, so if any access module says a user can perform an action no other module can take it away. The only other solution I can think of would be a mash of the modules to calculate based on both criteria, obviously a potentially complex task.

Certainly not recommended, but you could apply your own logic to scan the grants tables to remove entries for users that don't match up with both criteria. You would have to find the right hook to have it perform its work after both other modules have calculated their values and saved them to the database.

Good news: this is fixed in D7. Bad news: D7 will be a while. Drupal 7 will allow modules to approve, deny, or abstain from node access decisions. As such, your taxonomy module could say the users are approved for these terms, denied for others. As well, workflow could approve for some stages and deny for others. A user would require at least one approval and no denials.

GApple  2010-03-21 04:10:39
just want to add a thx for explaining. Looking forward for D7... refactored permission system.Meanwhile we get along for our needs
groovehunter  2010-03-28 11:02:20

related questions

Can't copy file with appropriate permissions using FileIOPermission
GetProcessesByName() and Windows Server 2003 scheduled task
Starting a process in C# with username & password throws "Access is Denied" exception
How do you set directory permissions in NSIS?
PHP: How to check if a directory is writeable?
Sharepoint Item Level Access & performance
sudo echo "something" >> /etc/privilegedFile doesn't work... is there an alternative?
What is the best way to create a security architecture?
Hierarchical Group Permissions Theory/Resources?
Why is access denied when installing SSL cert on IIS 5?
What databases do I have permissions on
Can an iPhone App Be Run as Root?
SQLite/PHP read-only?
Multiple permission types (roles) stored in database as single decimal
SharePoint Permissions
CakePHP ACL Database Setup: ARO / ACO structure?
LINQ and Database Permissions
What's the best way to implement a SQL script that will grant select, references, insert, update, and delete permissions to a database role on all the user tables in a database?
php scripts writing to non-world-writable files
How do I detect if a function is available during JNLP execution?
Implementing permissions in PHP
Access Control Lists & Access Control Objects, good tutorial?
In Visual Studio you must be a member of Debug Users or Administrators to start debugging. What if you are but it doesn't work?
Where should I put my log file for an asp.net application?
What is the best way to handle multiple permission types?