Type & Content Permissions together

Topics: Core, Troubleshooting
Aug 8, 2012 at 7:12 PM

I'm trying to use the new Content Permissions module to restrict certain pages from being available to anonymous users.

I'm struggling however to use both type-based and content-based permissions at the same time.

If under Users/Roles, I go to 'Contents feature' and tick allow for 'View all content', then I can use the content permissions part to restrict access to certain pages, all well and good.

Equally, I can create a content type, say RestrictedPage, and under User/Roles untick allow for 'View all content' and then tick allow for 'View (type) by others' for everything except RestrictedPage, and anonymous users can see everything except this content type.

However, if I untick allow for 'View all content', but tick 'View (type) by others' for a type (which allows anonymous visitors to view the content type) then try to use the Content Permissions part to restrict access to an individual item, it doesn't work - access is still granted.

Is it possible to apply content permissions when 'view all content' is not checked, and I'm missing something, is it a bug, or just an unsupported scenario?

Thanks in advance - sorry am experimenting rather here!

Coordinator
Aug 9, 2012 at 6:34 AM

You can only ever grant access. There is no deny in Orchard.

Aug 9, 2012 at 9:18 AM

It certainly seems possible to get deny.

  1. Create a new Orchard Site
  2. Add the Content.Permissions module
  3. Add the ContentPermissionsPart to the Page type
  4. Create a new page
    1. Tick Enable Content Item access control on the new page
    2. Untick 'View this item' under Anonymous
    3. Publish the page
  5. If you are logged in, then you can go to both the home page and the new page; if not, then you can only go to the home page and not your new page - access to the new page is denied

Not sure what I'm missing here.

Aug 9, 2012 at 4:58 PM

OK, I think I understand a little more now.

When 'View all content' is ticked, then role/type permissions are ignored, but if an item has a ContentPermissionsPart, then access is only granted if the ContentPermissionPart allows access.  When I unticked it within the ContentPermissionPart, I was removing the grant access that was there before.

However, when 'View all content' is not ticked, then role permissions are used.  If view Type by others is ticked, then access is already granted, and so unchecking 'View this item' in the ContentPermissionsPart has no effect (since Orchard does not have deny).

Have I understood this far correctly?

Now I get more confused.  Say I want to have a content type which has mixed access.  Now Orchard is grant-only, so I can't grant access on the Type and hope to deny access on the content item (see above).  So let's say I remove allow for Orchard.Content / View all content, and leave View Type by others unchecked.  I now want to grant access to some items of this type, so I check 'View this item' against anonymous in the Content Permissions Part.  I would now expect to be able to access this content item.  However, Orchard denies access to all instances of this content type, regardless of whether permission is granted in the Content Permissions part.  As a minor quirk alongside this, the item that I'm trying to make publically viewable is marked as 'Protected' with a padlock, whereas the others which are restricted by type are not, which is a little confusing for end users!

Is this a bug or intended behaviour and I'm still not understanding something?

Thanks.

Coordinator
Aug 10, 2012 at 4:18 AM

It sounds like a bug but I may have misunderstood this. Please file it.