Closed mjordan closed 5 years ago
ajs6f
commented
6 years ago This sounds super-useful! Might there be some overlap with other authZ needs? E.g. if I define a collection via a property value ("All resources with :hasColor :blue") this could be used to associate authZ with it, as opposed to using containment...
mjordan
commented
6 years ago Not sure, but assuming we can sync taxonomy terms with properties, I could imagine a Context that checks for the taxonomy term equivalent of :hasColor : blue and the containing pcdm:memberOf and allows access to the Drupal resource accordingly. But writing that out now makes me think that we'll need a SPARQL query in there somewhere.
ajs6f
commented
6 years ago Sorry, I was imagining that :blue is a term, and PCDM isn't in play. Maybe some better examples would be:
:hasAuthor orcid:0000-0002-1825-0097rdf:type aat:300181918that kind of thing. And since we at SI have no intention of using PCDM for anything (I don't think any site that isn't a library would want to do that) I'm imagining a collection (in the generic sense, not the library sense, maybe better to use the word "class") that just is all things with (say) :hasAuthor orcid:0000-0002-1825-0097. To do that in RDF might indeed require a SPARQL query, but to do that from the Drupal side wouldn't, would it?
whikloj
commented
6 years ago @ajs6f As long as you are not looking for any owl:sameAs type checks but just a straight give me all the objects that have X value for Y field, then yes we could do this straight in Drupal.
As of the recent change to modelling in Drupal I think only @dannylamb can say for sure whether this is already on the radar.
mjordan
commented
6 years ago OK, thanks. Taxonomy terms can have URIs as internal (to Drupal) IDs, so if I am understanding your example, you could add all your researcher's ORCHiDs as a taxonomy and apply them to nodes (and then, via Views, get an instant listing of all of a researcher's works). But to Drupal they are still just standard taxonomy terms, which can in fact be used to control access and pretty much anything else you can implement using either existing contributed modules (in fact the one that I mention in the initial issue above does just that) or via Context.
@dannylamb has had a lot more experience in the CLAW context (ha, no pun intended) with using taxonomies, as evidenced during his demo last week. He may want to weigh in on this, but I think that the answer to your initial question above is 'yes'.
In fact, we currently use taxonomies in a Fedoraless-Drupal 6 site (our institutional repository) to define what are the equivalent of "collections" in Islandora 7.x, and to define who may add members to them and who may view their members. Each collection is a single taxonomy term, with child collections being child terms.
mjordan
commented
6 years ago Damit ninjad by @whikloj
ajs6f
commented
6 years ago @mjordan @whikloj This sounds better and better! No, I wasn't thinking about inference or anything like that-- just plain ol' properties right on the resource.
mjordan
commented
6 years ago I don't think https://www.drupal.org/project/permissions_by_term is going to be suitable. Permissions are set at the term level, not the taxonomy level, in the term CRUD form. Help text: "To limit access to this term by user(s) or role(s), select users or roles above. If left empty, all users will have access to content, related to this taxonomy term and this taxonomy term itself."
My tests confirm that if a term is restricted to a role (didn't test specific users, but that's also an option), then only users of that role can assign the term to content, and only users of that role can access that content. This means that we can't use this module to restrict who can assign terms without restricting who can access content with those terms. Will move on to other taxonomy ACL modules.
mjordan
commented
6 years ago But.... since taxonomies are linked to entities as fields, we can use https://www.drupal.org/project/field_permissions to control what roles can assign terms from specific taxonomies at the taxonomy level. Granularity of permissions this module provides are:
So, as is often the case in Drupal, a combination of contrib modules solves the problem(s). The problems here being:
mjordan
commented
6 years ago As per the CLAW call on May 2, I have created structured use cases.
dmoses
commented
6 years ago Have other approaches besides taxonomies been considered for access control?
The ACL module coupled with the Content Access module seems to be a potential approach. Both have ports (alpha at the moment) to Drupal 8.
mjordan
commented
6 years ago @dmoses here's a list of issues relating to access control (there might be others):
Given the discussion over at #888, we might want to review these issues/use cases and document the various ways the Drupal 8 will let us control who sees and manages what. Not sure of the best mechanism for this review is at the moment however.
mjordan
commented
6 years ago Relevant blog post listing a variety of ways to control access to Drupal 8 content: https://www.optasy.com/blog/how-do-you-restrict-access-content-drupal-8-6-modules-will-do-job-you.
mjordan
commented
5 years ago We need to test controlling access to media/files using tags, for example terms from the Media Use vocabulary.
mjordan
commented
5 years ago I installed and enabled the Permissions by Term module and its submodule Permissions by Entity (which is needed to provide access control by term to Media) and they appear to work as expected. By configuring specific taxonomy terms, I was able to restrict access to authenticated users to the node, media (using direct URL to media) and the media's file (using direct URL to file). Not tested, but this should work with any role and even individual users.
dannylamb
commented
5 years ago This is tested and working with permissions_by_term
Given the importance of taxonomies in CLAW, we need to be able to control access to content that has particular terms applied to it and also to the ability to assign the terms themselves. Looks like https://www.drupal.org/project/permissions_by_term is the best contrib module to allow those things. I will test and report back here.