Spotlight Access Control

One of the most powerful features of Drupal is its rich, fine-grained access control system, based around the concept of users, roles, and permissions.


A visitor to the website. A user can be anyone: a casual visitor to the website, your company's president who's blogging on the site every day, your system administrator, or someone who doesn't work for your company at all but is still adding content (as with a social networking site).


A group to which users can be assigned. Roles can be something like "administrator" or "sales team member." Drupal comes with two roles by default—"anony-

mous user" (for all users who have not logged in) and "authenticated user" (for all logged-in users)—but you can create as many different roles as you want.

Something that users within a role can (or can't!) do on the website. Each module can specify its own list of permissions that may be assigned. Examples of permissions are "access site content" and "edit own blog." If a user does not have proper permissions to do something on the website, he'll receive an "Access denied" error page when trying to access the given functionality.

It's worth sitting down at the beginning of each project and really thinking through what types of users will visit the site and what they're going to want to do. Those will correspond to roles and permissions in the system. Try to think of your users in terms as broad as possible. Particularly on small sites and at small organizations, you might be tempted to create a role for each person (e.g., "Greg's role"). But this gets extremely cumbersome, not to mention confusing, when Susan later replaces Greg. Rather, think of what Greg will be doing on the website, such as site configuration, upgrades, and backups, and name the role after those tasks (e.g., "site administrator") instead.

Controlling user access consists of two parts: (optionally) creating one or more roles to match the types of visitors your website needs to support, and assigning permissions to those roles.

Under AdministersUser managements-Roles (admin/user/roles), pictured in Figure 2-31, you may create, edit, or remove roles. At this stage, there's nothing more to a role than a name. Individual users may be assigned to roles either via their user profiles or from the user administration page at AdministersUser managements-Users (admin/ user/user). Both creating and assigning roles requires the "administer users" permission.


• You can customize the "Access denied" and "Page not found" error

*v pages at AdministersSite configurationsError reporting (admin/set-'>„' A » , liV tings/error-reporting).

Was this article helpful?

0 0

Post a comment