Permissions By Term and Content Moderation

[murraywoodman]

We have been experimenting with these two modules. We would expect that the Permissions By Term module would play nicely with Content Moderation but it appears that this is not the case. A problem arises when an "Editor" creats a node in Draft state, resulting in a node which is unpublished. Permissions by Term will not allow the Editor to view the node because it is unpublished.

This is obviously a big problem because it basically stops all but the most powerful users from seeing and editing the node.

It seems that the maintainer doesn't want to fix this:
https://www.drupal.org/project/permissions_by_term/issues/2927322#comment-12512795

This will be a problem for the sites which want to use Permissions By Term to control editor access to sections or microsites. This seems to be quite a common use case and I think that this module may be disappointing a few people. If agencies are looking for "distributed editing" then this module probably will not do the trick in its current form. However, if the module is used for only controlling view permissions then it would still be OK.

I'm not sure what the current solution here is. It would seem sensible to turn of Permissions By Term in favour of Content Moderation as moderation is an important feature of GovCMS. Otherwise there is a patch with a proposed sub module:
https://www.drupal.org/project/permissions_by_term/issues/2927322#comment-12504372

It would be good if others could replicate this and see if they can have any success with these two modules.

[sonnykt]

As far as I know, my patch
https://www.drupal.org/project/permissions_by_term/issues/2927322#comment-12504372 does not work 100%. There were some reports that content editors were not able to access some content with the patch in other projects, but I could not recall the details. If we are going to introduce a submodule with this approach, we need to spend more time on testing as Content Moderation does not work well with Node Grant system.

There are calls to get rid of the Node Grant system as well:
https://www.drupal.org/project/drupal/issues/777578#comment-12329833
https://www.drupal.org/project/drupal/issues/1186320

[simesy]

An update on this issue would be awesome

[Belhendo]

Hi Murray, Apologies for the radio silence on this one. Could you please provide an update from your side - is this still a problem from your clients' POV? If yes, to better illuminate the nature of the issue, are you able to provide us please with an overview of your clients' requirements?

As an aside - raising a service desk ticket with all the details will enable a module from the distro to be swtiched off for a specific site.

[murraywoodman]

I wrote the initial bug report 15 months ago in an effort to alert GovCMS that the combination would probably not work. At the time I was roadtesting the combination for an agency who wanted an easy way to assign permissions to content in a section. As my tests did not work, I have steered clear of the combination and have opted to use Content Moderation for the projects I have worked on.

To answer your question, the basic requirements would be:

• support a content workflow (draft, published, archived) with permissions controlled by roles. [Content Moderation]
• support the assignment of access by assigning a taxonomy term to a node which in term maps to access. [Permissions by Term]

The second requirement would be for sites which had different "sections" which need access controlled for different roles. eg. if a department site had many portfolios, each portfolio could be considered as a section with different access rights.

The comments above from sonnykt (who knows a lot more about it than I do) indicates that this is a known problem and that there is a clash of paradigms in how the two systems are working together. I checked in on the links provided above and it appears that there were no updates to those, so I suspect that it is still probably not working.

It would be worth reaching out to the community to see if there is anyone using the modules together in a successful way. Also, if you can run some queries on the modules being used across the platform, you may uncover places where it is being used successfully.

Unfortunately, at this stage I do not have the time to test this functionality out myself.

It should be pretty each to test though:

• spin up a site with some content moderation
• define a vocab with some sections (section-a, section-b)
• define some roles which are mapped to the sections (role-a, role-b)
• create a node, assign it to a section (eg, section-a)
• log in as a user with the role, role-a
• can the user interact with the node, make new darfts etc.

[KelvinWong]

The problem still exists, with PBT 8.x-2.12 and Workflow 8.9.1. Content edits have access to the content when it is unpublished even the user has the right permission.

[thisisalistairsaccount]

I think the challenge with this, and mentioned by @murraywoodman originally is that it doesn't seem as the project owner has an interest in adding to their project creates a blocker. While forking it as an option it then requires its own maintenance path for someone to pick up. Also noting that the patch doesn't seem to work 100% either I'm inclined to think another option is needed for this sort situation, potentially something like #476 may fit the bill surrounding permissions