How to make content private in Drupal
Posted by fbloggs in Content Management, Drupal, Web DevelopmentI’ve been playing around with a test Drupal install lately. I’ve installed Drupal version 6. One of the most challenging things about working with Drupal is knowing which plugins to use; there are so many of them. For example, in the User Access and Authentication category, there are 249 modules! It took me several tries before I found the module I needed, mostly because the purpose of each module I looked at is not particularly clear. Anyway, I wanted to have some content visible to anyone, and some only visible (and accessible) to authenticated users (me!). I created a story (recommended for newbies on the Drupal site, in the Drupal cookbook), which I wanted to be seen only by me. I also created a public story that anyone can read. Here’s how I protected my private content:
- Select a plug and download it. I chose the ‘content-access’ plugin. I found this via a circuitous route. First, I googled phrases like ‘secure content in Drupal’ and ‘Drupal protect nodes’ with little success. Then I went to Safari Books Online (I have a full library subscription, through work), and looked at the chapter on Modules in the Packt book appositely titled Drupal. This chapter discusses the ‘node_privacy_byrole’ module. I searched for it on Drupal.org, and read its intro, which explained that it is similar in function to the ‘Content Access’ module. So I then read about the ‘Content Access’ module, which has been kicking around for ages (since 2005), and decided to give it a whirl.
- I downloaded the module to my laptop. It’s a tar.gz file, so I unzipped it with 7zip.
- I copied the whole unpacked folder (called ‘access-control’) via FTP to my server. You always copy modules into the Drupal subfolder called ‘modules’, so that’s what I did.
- I logged in as Site Admin to my Drupal site.
- I clicked on Administer > Site Building > Modules. This presents a list of available modules, most of which are core modules, many of which are ‘active,’ but some not. My newly added module appeared at the top of the list, under the heading ‘Access Control’
- I checked the box next to Content Access. This makes the module active (usable).
- I then had to click a button to rebuild site permissions. You get a warning saying this might take a long time. In my case it took about 15 seconds – I don’t have much content yet.
- I clicked on Administer > Content > Content Types.
- I clicked on ‘Edit’ next to ‘Story’. This option means I am about to edit the settings for any content type of ‘story’. I currently have two stories, so the options I selected here will affect both of them (and any other ones I create later).
- A new tab (ie one not seen in the core install) appeared, called ‘Access Control’. I clicked on it.
- I clicked the ‘View any content’ options for both anonymous users and authenticated users. This may seem counter-intuitive, since I want to deny anonymous users the ability to view some stories, but basically this sets the default to ‘Allow all’ and allows you to granularly deny access. Read on…
- There’s a heading on this page: ‘Per content access control settings’. I checked the box next to the text ‘Enable per content node access control settings’ – meaning I can control, at a node level, the access settings for any story. Since all content in Drupal (AFAIK) is a ‘node’ (or collection of ‘nodes’), this seemed to make sense.
- I saved the settings.
- I clicked on Administer > Content Management > Content. This showed me a list of content on my site – a couple of stories, some Book pages, a Page and a blog.
- I clicked on ‘Edit’ next to the story I wanted to make private (accessible to only authenticated users – me). This is the only option available at this point, and it placed my story in edit mode. However, a new link now appears above the story: Access Control.
- I ignored the fact that Drupal seems to think I want to edit content rather than permissions, and clicked the aforementioned ‘Access Control’ link. Jolly good. Almost done.
- I unchecked the boxes for Anonymous User under the column headings ‘View any content’ and ‘View own content’ (the second uncheck is probably not necessary, since Anonymous will never be able to add any of his/her own content to this story anyway – but what the heck.
That’s it. I tested the results by logging out. Sure enough, I could no longer see the story on my front page (I have a ‘story’ block visible on my front page for both anonymous and authenticated users). I could still see the public story, though, just as I wanted. I also tried cutting and pasting the URL for the story node into the location bar of the browser- still couldn’t get there! Perfect!
An interesting side note- I’d also earleir installed a module called Secure Site, hoping that it would do the trick. It mentions something about ‘secured pages’ in the documentation, but I couldn’t for the life of me find a definition for ‘secured page’ anywhere on the Drupal.org site. However, after applying the access restrictions as described above, the Secure Site module dutifully kicked in when I tried going directly to the private story via its URL. So that’s what a ‘protected page’ is- one that’s handled by an ‘Access Control’ module.
Tags: Content Management, Drupal, Drupal modules, Site protection, Web Development
Print
Digg
StumbleUpon
del.icio.us
Facebook
Yahoo! Buzz
Twitter
Google Bookmarks
Entries (RSS)
Making content private in Drupal is what caught my attention first with the program.
First, create the different roles. Unlike other CMS programs (like, Joomla or WordPress) you can create as many roles as you’d like.
Create the pages needed.
Now assign the specific roles that have permission to view each page.
For example, you could have a three tier membership site. All members see the entry level content. Next, the advanced and average users can view the content aimed at average users. And of course only the advanced users see the advanced content.
Althought only three tiers are used in the example you are really unlimited in the number of tiers using Drupal.
I agree with you about the power of being able to create any roles you want. However, the default permissions settings (for any role- those shipped or custom ones you create) do not provide the ability to hide content from a role. Using the content-access module you can prevent access for any role. What I plan to do next is try installing an access module that allows you to deny or allow access for specific users to content or content types. I suspect that’s what the ACL module does, but I’m not sure yet.
Thank you, very helpful. I had used this years ago, but couldn’t remember how, so your post helped me get up to speed.
[...] Drupal, Drupal modules, Site protection, Web Development — fbloggs @ 2:00 am Please read this post at my new hosted site (July 17, [...]
Thanks for this write up, exactly what I needed. I use this module in combination with the front_page module, so that the front page for anonymous users is just a general welcome page, urging the visitors to request an account, while once logged in, the authenticated users get the standard drupal front page that shows a river of news.
Thanks, just the info I needed !
Thank you for the information, I was looking for such type of requirement.
Exactly what i needed. good easy steps to follow.
(wish they really had something simple like this with every module)
Yeah it took a few times to get used to it. But now its pretty much second nature. Wish they could have something like this from the get go. the module and your wonderful explaination.
Thanks a lot for this! I skipped the node specific part (steps 11 & 12) before I read this and tried to restrict access to a content-type using the access control tab, but that alone didn’t work. I’ll have a small enough protected content pages that it won’t be a problem restricting access node by node.