Picture
Arlina Espinoza Senior Technical Lead
March 19, 2018

With all the changes in Drupal 8, it’s no wonder the landscape for access control modules is adapting. While the port of Organic Groups has started, there are several major issues to resolve before it’s ready for use. There are, however, a couple promising new options.

Permissions By Term

If you don’t need group management, Permissions by Term is the Drupal 8 substitute for the Taxonomy Access Control module. It controls node visibility based on the how a node is tagged. Term access is granted by role, and individual users can be whitelisted for term access permissions.

Each term allows you to select by role who can access it from the taxonomy term edit page.

 

Moderation

If your content has drafts or other moderation states, this module will play nicely. Permissions by Term handles access control to published nodes, while moderation modules control access to unpublished moderation states.

Multilingual

This module works with translations if all translations have the same "access control" (they are tagged with same terms). If not, the latest translation of the node gets saved to the node access table, and the other translations get lost. There is work in progress on this issue. 

Shortcomings

  • At present, this module does not control edit and delete permissions since it only works for published content. 
  • This is not the right module if content and users need to be organized by groups. It can be used, but inefficiently, as it would require each user group to be a role, resulting in duplication of "term group A" and role "group A". A workaround could be to whitelist the users to the term, but that might create overhead in the node_access table. If this is a requirement, the Group module is a better choice. 

Technical Overview

Setup is very straightforward: Enable it and configure role access for each taxonomy term on the term edit page. This module uses the node grants API and has 2 custom tables. The codebase looks modern and contains tests.  Node grants built for the current user object list every node the user can access, which could be thousands, and does not seem efficient. This might require attention if your site will has many nodes.

Group

What it does

Group allows content to be organized into groups that users can join. Access is controlled by group roles. The default roles are anonymous, outsider (logged-in but not member), and member, administrators can create additional group roles. An optional module provides out of the box CRUD access control for nodes. 

Group provides an interface to show you what belongs to it.

 

Moderation

The core Content Moderation module permissions take precedence for editing (not for viewing/deleting) so site editors can edit all content even if they are not members or editors of a group. This potentially unexpected behavior presents a moderately complex issue that probably has a custom solution for each site’s unique set of business rules. This, and other similar conflicts, can be solved with a custom module defining the permissions priorities.

Multilingual

This works module works ok with translations. All translations automatically belong to the same groups as the original node and this cannot be changed.

Shortcomings

  • We didn’t find a straightforward way to add a node to a group through the node/add form. Instead, we needed to create the node through a "create content" link in the group page, or manually associate it on another form.
  • If groups are required to control access to nodes, this module works as-is. Associating non-node entities with groups for access control is possible, but requires additional work.

Technical Overview

This module comes with good documentation for site builders and developers. It’s user interface looks similar to Organic Groups, but seems more intuitive. Site administrators can create multiple “group types,” and all groups, group types, user/group memberships, and content/group relationships are fieldable entities (meaning they get all the entity goodness!). Group roles and permissions are configurable per group type, and the module uses the node grants API.

Summary

Drupal 8’s architecture changes mean we may say goodbye to some beloved (and not-so-beloved) module versions. This creates an opportunity for our community to revisit how we solve problems, and better serve our users. Permissions by Term and Group are another indicator that the Drupal 8 community is alive, well and, perhaps most importantly, adapting to change.