Drupal secure content for authenticated users

[joewhitsitt]

Issue

It has been requested by a couple customers to have some content on their public website be viewable to authenticated users, or this idea of "password protected content."

Proposed Solution

• Investigate what type of content is in scope. Reach out to customers about what they had in mind.
  • brand
  • law
  • studentlife
  • iowamommoodbooster.org
  • policy.clas.uiowa.edu
• Decide if this should be accomplished with a single site-wide authentication or have separate "passwords" per content
  • https://github.com/uiowa/uiowa_auth/issues/22
• Based on the scope above decide how to handle private files on a public website.

[pyrello]

SPPA also needs something like this. In that case, viewing access for a custom content type and some view listing pages would need to be limited to only users of a certain role or roles.

It seems like, at a minimum, this would require custom code or a contrib module like https://www.drupal.org/project/node_view_published_override to allow setting the "View published content" permissions per content type. It also seems like it would require a custom role, since the Viewer role allows things that we would not want in this case.

[quamsta]

We definitely need at least HawkID authentication for viewing some pages at Student Life. We have some clients that rely on this feature pretty heavily.

[joewhitsitt]

It also seems like it would require a custom role, since the Viewer role allows things that we would not want in this case.

Could the viewer role be repurposed and redefined if this ends up as a feature split instead of default?

[mark-bennett-uiowa]

@joewhitsitt I think this would work for my needs in #3484 as long as we could accomplish this without giving these users editing rights. Closing that issue in favor of this solution.

[mark-bennett-uiowa]

Moving this back to the top of Parking Lot because I now need this for both the iowamommoodbooster.org site and the policy.clas.uiowa.edu site.

Could we possibly investigate using one of these modules for protecting pages behind a password without giving them authenticated permissions??

https://www.drupal.org/project/protected_pages This seems like the best option on paper as it allows sweeping protection of all protected pages vs individual nodes. Updated for 8/9 on April 29, 2021.

https://www.drupal.org/project/protected_node This is the node only protection module, no 8/9 version.

https://www.drupal.org/project/shield This is a walled-garden approach, and may seem too restrictive. Does have a Drupal 8/9 version, updated March 30, 2020.

[joewhitsitt]

Part of this issue is to understand what exactly customers need from this. A big issue I see that customers might not understand is that while they block a node or a path on an otherwise public website, it doesn't necessarily block access to files uploaded to the website or the referenced content that make up the content of the page. Usually it is private documents and such people want to upload to these pages that are still visible to anyone with the right link.

We have done Intranets in d7 where everything is uploaded to the private files directory and all content is private but that doesn't use the apache login method. There is less guess work then for the content editors/developer to make sure things are actually private but would result in more sites and be a pretty substantial feature fork of our base profile.

I added studentlife, policy.clas and iowamommoodbooster to the issue summary so that we can capture what the expectations are.

[briand44]

https://www.drupal.org/project/content_access is a module that has been used in the past. I don't love the module but just listing it as a possible option.

[joewhitsitt]

A few thoughts captured from the developer meeting:

• We should avoid "secure" type words. Private/restricted/hidden might be better.
• What are we providing that another campus tool doesn't (qualtrics, office365, wiki.uiowa.edu)?
• "Private Page" or "Hidden Page" content type with minimal text format body and related files private upload. - Prevents referenced content that is public and creates a separate bucket of content that we don't have to constantly test against (layout builder page).
• If we aren't doing private files, clear disclaimer.
• Prefer to use HawkID/AD as much as possible but there might be use cases to "hide" content a bit (Harder to guess URL path, short password to view, no-follow seo defaults).
• Perhaps a "hidden" editorial workflow state that is published (not unpublished pink/moderation controls, etc.) but only for viewer roles are higher.

[richardbporter]

We should avoid "secure" type words. Private/restricted/hidden might be better.

Agreed. Hidden might be best.

What are we providing that another campus tool doesn't (qualtrics, office365, wiki.uiowa.edu)?

I guess integration with existing, on-brand websites.

If we aren't doing private files, clear disclaimer.

Yes this is a must.

If private files are a requirement, I agree with the approach in https://github.com/uiowa/uiowa/issues/2305#issuecomment-856869255.

If not, I do wonder if we could do something custom for current basic pages. A checkbox like "Hid e this page" or something that we use in a hook to deny access for anonymous users. Not sure how feasible/desirable this is but might save us another content type. Probably pretty similar to content_access.

[richardbporter]

"Private Page" or "Hidden Page" content type with minimal text format body and related files private upload. - Prevents referenced content that is public and creates a separate bucket of content that we don't have to constantly test against (layout builder page).

Random thought: minimal text format allows links no? Does it also linking to a document then and if so, can that be removed?

[joewhitsitt]

"Private Page" or "Hidden Page" content type with minimal text format body and related files private upload. - Prevents referenced content that is public and creates a separate bucket of content that we don't have to constantly test against (layout builder page).

Random thought: minimal text format allows links no? Does it also linking to a document then and if so, can that be removed?

Yes, yes, maybe though I think it would be easier to create a new filter format if that was a concern.

[bspeare]

We got a request today from International Programs to "make one of our pages for internal use only, could we make it password protected?".

[bspeare]

Request today from Charlie at Diversity: "Is it possible to require Hawk ID 4x4 to access this page: https://diversity.uiowa.edu/programs/training-programs, as well as the landing pages for each of our professional development courses?"

[bspeare]

Currently we are suggesting that customers use SharePoint for authenticated pages.

[cory-skeers]

Request from TMW for this

Is there any way to require HawkID authentication to a set of pages in the Sitenow site? I’d like to post some material that, while it’s not confidential, is decidedly targeted at University of Iowa staff.