A Guide to Drupal eCommerce and Site Development

Welcome to the final section of the tutorial on configuring your Drupal site with special access permissions. The first section of this tutorial explains Drupal's permissions and user roles. The second section walks through creating user roles and setting their permissions. The third section covers installing and configuring the Content Access module. In this final section I'll show how to create a new content type, give it special access permissions, and finally rebuild permissions to enable this special configuration. 

Creating a New Content Type with Special Access Permissions
Now we will create a new content type that only your customers and staff can view. Please navigate over to this address on your site: admin/content/types. With a fresh Drupal installation, you should see something similar to this:

Drupal's Content Types interface at admin/content/types

We will be creating a new ‘support page’ content type, so click the ‘Add content type’ link. Now you should see something similar to this:

Top portion of Drupal's interface for creating a new Content Type

I’ve already added the name, type and description text to the form as an example. You should enter information similar to this in your version. Beneath this area of the page are three collapsed form elements and the submission button:

Additional items beneath the Description field when creating a new Content Type

Since we want this content type to behave just like a page, but with access restricted only to customers and staff, I will leave the ‘Submission form settings’ area alone. In the ‘Workflow settings’ area, I’ve configured it like this:

Workflow settings define how a node behaves

With these workflow settings, customer support pages will not automatically go to a teaser filled home page, and I want to be able to place attachments for customers to download provided items, such as a PDF of a product manual.

In the ‘Comment settings’ area, one gets into various issues somewhat out of the scope of this tutorial. Examples of these issues include:

• Should customers be able to leave comments?
• If so, how to handle spam and malicious comments?
• What should all these display settings be?

These are sticky questions, with answers that can trigger the necessity for more staff monitoring comments, as well as additional modules. Additional modules like the well regarded Mollom spam blocking solution from the very same people that created Drupal. Mollom is actually used by this site to control spam. I wrote a brief tutorial about setting it up here: How to handle comment spam and offensive comments. And you can learn more about Mollom at their own web site here:  http://drupal.org/project/mollom.

Once you are satisfied with the settings of the new Customer Support Page content type, click the ‘Save content type’ button. This will take you back to the admin/content/types page, where you need to immediately go back in with a click on the ‘edit’ link of the new Customer Support Page content type. Now you will see something similar to this:

A visit to our new Content Type's edit page shows new controls

Notice two changes from what you saw when creating the content type for the first time: There is now an ‘Access control’ link at the top of the page, and a ‘Delete content type’ button at the bottom of the page. Click the ‘Access control’ link to see this:

A new page controlling permissions for our new Content Type

The Content Access module we just installed generates this page. This is where you now have role-based control over who can access and modify pages of this content type. As you can see from the checkboxes above, the content type is configured to allow customers to view any page of this content type, and that is it. They won’t be editing, creating, or deleting any pages of this type, so those settings are clear. Note that the staff role has activated checkboxes for every settings, this is because of the staff permissions configuration. The permissions for ‘staff’ grant these settings, and they can’t be revoked from this page.

In the image above, just below the large bank of checkboxes is a single checkbox labeled ‘Per content node access control settings’. By checking that, you activate permission controls on a per node basis. With that activated, every node of this type created will have an ‘Access control’ tab for setting permissions to that node specifically. The above large bank of checkboxes provides the default settings for the per node permissions.

In the image above, the ‘Advanced’ link reveals a control like this:

The Advanced link expands to show a control for working with multiple permissions control modules

This control is only used when working with multiple access control modules in cooperation with the Content Access module, and that discussion is beyond the scope this tutorial.

Once you have configured the settings on this page as you need, click the submit button to finalize the settings. Follow this with a visit to admin/content/node-settings where you’ll see this:

The full Post settings page, showing more than just Rebuild Permissions

Anytime you modify permissions, enable or disable modules that affect permissions, create new roles, or create new content types, you should revisit this page and click the ‘Rebuild permissions’ button. Note that for a site with a lot of content or users, this can take some time. So it is recommended only  when customers are not around, perhaps when the site is down for maintenance.

That’s it. Now you can create customer support pages, with attachments if necessary, and only your customers can view them after they have logged into your site.

Please feel to offer any questions concerning places where I am unclear in the above, or other ways that I can improve the quality of this tutorial in the comments.