HomeUsing Drupal 6Users

Permissions

If you go to Navigation | User management | Permissions you will see a page where you can set the detailed permissions for different user roles.

By default you will see columns for anonymous user and authenticated user. There is no column for administrator, because that role automatically has all permissions.

If you define additional roles, these will be available as new columns. If you install new modules, you may find new permissions are defined. The Permissions page allows very fine grained control.

Permission types

Many permissions can be catergorised into three types.

Access a feature. This generally means that the feature is visible (ie, can you read the Foroms or not), or passively usable (can you search the site). These are usually reasonably safe to grant, it is more an issue of whether you want to restrict access to certain site features to encourage registration.

Edit a feature. This mainly affects different types of content. You can usually control whether users can create, edit or delete various content types. This is

Administer a feature. This gives a user the ability to control how some aspect of your website works. Only give this to trusted individuals.

An example

As an example, we will look at the permissions relating to nodes (ie, the pages, stories etc on your site). This is listed under Node module.

You can control which roles can access the content. If you turn this off users will not be able to see any of your page content until they log on with a suitable role. This isn't usually very useful, but it can form part of the security for a totally closed site (eg a company intranet which only employees can access).

You can also control which roles can see revisions. Normally you would not want ordinary users to see revisions, it is usually of little interest to them and potentially confusing. You would probably want to turn this on for administrative roles.

For editing content, you can separately control the editing of each content type for each role. For each content type you can control which roles can:

  • Create content of that type.
  • Edit that content
  • Edit that content, but only if they are the original author
  • Delete that content
  • Delete that content, but only if they are the original author

This is very flexible. You can for example, decide that authenticated users can create stories but not pages. You can choose to let them edit their own stories or, if you wish, let them edit each others pages.

Administration permissions which can be individually enabled per role include:

  • Adminstering Content types, ie creating and editing new types of content over and above pages and stories.
  • Administering nodes, ie changing the content settings.
  • Reverting and deleting revions

Testing permissions

The example above only covers nodes. There are many other groups of permissions, usually quite fine grained. Many contributed modules add their own permissions.

This means that setting up permissions can take a bit of effort. You need to think carefully about what permissions to grant, based on what you know about each role. You also have to make sure you don't make a mistake.

The only way to be certain it is properly set up is to test it, thoroughly. The easiest (and probably best) way to do this is to create an account with each role, and test your site in each role. Don't just test that you can do everything you should be able to, also chekc that you cannot do anything you shouldn't in each role.