http://www.fbloggs.com/2009/06/11/how-to-make-content-private-in-drupal/
’ve been playing around with a test Drupal install lately. I’ve installed Drupal version 6. One of the most challenging things about working with Drupal is knowing which plugins to use; there are so many of them. For example, in the User Access and Authentication category, there are 249 modules! It took me several tries before I found the module I needed, mostly because the purpose of each module I looked at is not particularly clear. Anyway, I wanted to have some content visible to anyone, and some only visible (and accessible) to authenticated users (me!). I created a story (recommended for newbies on the Drupal site, in the Drupal cookbook), which I wanted to be seen only by me. I also created a public story that anyone can read. Here’s how I protected my private content:
Select a plug and download it. I chose the ‘content-access’ plugin. I found this via a circuitous route. First, I googled phrases like ’secure content in Drupal’ and ‘Drupal protect nodes’ with little success. Then I went to Safari Books Online (I have a full library subscription, through work), and looked at the chapter on Modules in the Packt book appositely titled Drupal. This chapter discusses the ‘node_privacy_byrole’ module. I searched for it on Drupal.org, and read its intro, which explained that it is similar in function to the ‘Content Access’ module. So I then read about the ‘Content Access’ module, which has been kicking around for ages (since 2005), and decided to give it a whirl.
I downloaded the module to my laptop. It’s a tar.gz file, so I unzipped it with 7zip.
I copied the whole unpacked folder (called ‘access-control’) via FTP to my server. You always copy modules into the Drupal subfolder called ‘modules’, so that’s what I did.
I logged in as Site Admin to my Drupal site.
I clicked on Administer > Site Building > Modules. This presents a list of available modules, most of which are core modules, many of which are ‘active,’ but some not. My newly added module appeared at the top of the list, under the heading ‘Access Control’
I checked the box next to Content Access. This makes the module active (usable).
I then had to click a button to rebuild site permissions. You get a warning saying this might take a long time. In my case it took about 15 seconds – I don’t have much content yet.
I clicked on Administer > Content > Content Types.
I clicked on ‘Edit’ next to ‘Story’. This option means I am about to edit the settings for any content type of ’story’. I currently have two stories, so the options I selected here will affect both of them (and any other ones I create later).
A new tab (ie one not seen in the core install) appeared, called ‘Access Control’. I clicked on it.
I clicked the ‘View any content’ options for both anonymous users and authenticated users. This may seem counter-intuitive, since I want to deny anonymous users the ability to view some stories, but basically this sets the default to ‘Allow all’ and allows you to granularly deny access. Read on…
There’s a heading on this page: ‘Per content access control settings’. I checked the box next to the text ‘Enable per content node access control settings’ – meaning I can control, at a node level, the access settings for any story. Since all content in Drupal (AFAIK) is a ‘node’ (or collection of ‘nodes’), this seemed to make sense.
I saved the settings.
I clicked on Administer > Content Management > Content. This showed me a list of content on my site – a couple of stories, some Book pages, a Page and a blog.
I clicked on ‘Edit’ next to the story I wanted to make private (accessible to only authenticated users – me). This is the only option available at this point, and it placed my story in edit mode. However, a new link now appears above the story: Access Control.
I ignored the fact that Drupal seems to think I want to edit content rather than permissions, and clicked the aforementioned ‘Access Control’ link. Jolly good. Almost done.
I unchecked the boxes for Anonymous User under the column headings ‘View any content’ and ‘View own content’ (the second uncheck is probably not necessary, since Anonymous will never be able to add any of his/her own content to this story anyway – but what the heck.
That’s it. I tested the results by logging out. Sure enough, I could no longer see the story on my front page (I have a ’story’ block visible on my front page for both anonymous and authenticated users). I could still see the public story, though, just as I wanted. I also tried cutting and pasting the URL for the story node into the location bar of the browser- still couldn’t get there! Perfect!
An interesting side note- I’d also earleir installed a module called Secure Site, hoping that it would do the trick. It mentions something about ’secured pages’ in the documentation, but I couldn’t for the life of me find a definition for ’secured page’ anywhere on the Drupal.org site. However, after applying the access restrictions as described above, the Secure Site module dutifully kicked in when I tried going directly to the private story via its URL. So that’s what a ‘protected page’ is- one that’s handled by an ‘Access Control’ module.