Access Control Lists in Drupal?


I've been trying to figure out a workable solution for a couple of months, and have come up with nothing more than some hacks and approximations of what is needed.

Here's a use case:

User "A" (let's call her "Amy") writes a blog post. She wants it to be readable by her professor (let's call her "Betty") and one other student (let's call her "Carmen").

But, she doesn't want the post to be readable by the rest of the class, by students in other classes, nor by the unwashed masses stumbling across a post via Google.

So, Amy wants to grant these privileges to her blog post:
Amy: Read/Write/Delete
Betty: Read
Carmen: Read

Currently, she can create an Organic Group, add the three users to the group (let's call it "Amy+Betty+Carmen"), and mark it as "not public" and having an audience of "Amy+Betty+Carmen".

That Organic Groups model works, but for her next blog post, Amy wants it to be available by another student (let's call him "Dmitry"). So, she has to create a new Organic Group called "Amy+Betty+Dmitry" and add the three users to the group. She then writes a new blog post, sets it to not be public, and have the audience of "Amy+Betty+Dmitry".

That pattern just doesn't scale. Each user may have to belong to hundreds of Organic Groups to cover all permutations of sharing and privacy involved with a class or project.

It would be easier if there was just an "Access" section of the blog authoring page, where Amy could just select the users that she wants to add to each of the two non-owner roles (read and edit). This could pose some issues wrt scalability - if there are 100 users in a copy of Drupal, she won't want to have to scan a list. Ideally, some ajax-powered user search would let her just start typing a person's name (she may not know their username or email address) and have the system provide a list of matches.

So, the Organic Groups trick works, but doesn't scale. If Amy wants to allow co-authoring on a post (a book page or something), she needs to start fiddling around with Simple Access (or make sure everyone has "Administer Nodes" privs, which won't fly in a community based on assumed privacy for some content). Simple Access is tied to Drupal's concept of Roles, so there may need to be 13 bajillion Roles in the system to cover all permutations (or a Role per user). Doesn't scale. And, there's the strange interaction between Simple Access and Organic Groups, where if you want OG to work, you can't use Simple Access (you have to create a dummy Role called "nobody" with nobody in it for OG to kick in, as Simple Access will override it otherwise).

There are some others who appear to have a similar need. First, there's the "na-arbitrator" module, which adds access control lists to forum posts (so far) - but it appears to be tied to the concept of Roles, with Users being added as Moderators. Close.

"Node Privacy by Role" module sounds close, but again is tied to the concept of Roles, not Users.

There's the Taxonomy Access module, which would require enforcing a taxonomy and making sure only the appropriate people use a given term in the vocabulary. Don't think this would scale either.

Then, there's a rather detailed design spec but it appears to have been orphaned for a year or so... There are some other attempts dating back to 2004, but nothing appears to have been completed.

Perhaps the most promising sounding project is the "Groups" module - but even that hasn't been touched in 13 months, and doesn't work with Drupal 4.7

The official Drupal handbook includes a section that touches on this topic, but the solutions provided there don't offer the level of user-defined granularity. They rely on administrators to set up roles and taxonomies and to manage the interaction between them. What is needed is a way for users to define the exact audience of any node they wish to restrict access to.

Long story short, I have no good idea on how to currently enable per-node per-user access controls in Drupal. I've got some projects that will either rely on this, or will benefit greatly from it.


comments powered by Disqus