不允许用户删除节点,但允许通过视图批量操作删除

发布于 2024-09-18 21:28:16 字数 318 浏览 11 评论 0原文

我有以下情况:

  • 编辑者角色不应被允许 删除节点。因此相应的 权限被取消选择 权限页面。
  • 然而编辑 应该能够删除节点 来自视图批量操作。使用 创建动作的规则称为 “安全删除”检查诸如 如果节点未发布等。 在删除节点之前。

问题是视图批量操作尊重节点权限。编辑者将无法删除该节点,因为他没有获得该权限。有没有办法让编辑器在 VBO 中执行该操作时可以成为更高角色的用户(类似于 sudo)?或者有没有办法告诉 VBO 忽略此操作的节点访问?

我确信这是主流要求,但我似乎找不到解决方案。

不涉及编程的解决方案将是首选。

I have the following scenario:

  • Editor Role should not be allowed to
    delete nodes. Therefore the corresponding
    permission is de-selected in the
    permissions page.
  • However Editor
    should be able to to delete nodes
    from Views Bulk operations. Using
    Rules an action is created called
    "safe delete" that checks things like
    if the node is not published etc.
    before deleting the node.

The problem is the Views Bulk Operations respects Node permissions. Editor will not be able to delete the node as he has not been given that permission. Is there a way that Editor can become a higher role user (as sort of sudo) while performing that action in VBO? Alternatively is there a way to tell VBO to ignore node access for this action?

I'm sure this is a mainstream requirement but I can't seem to find a solution.

Solutions which do not involve programming will be preferred.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

满身野味 2024-09-25 21:28:17

简单但不太干净的方法是您已经采取的路线,但有一个额外的小模块来帮助它。

  • 有一个函数 my_module_can_delete($user),如果允许用户删除,则返回 TRUE;如果不允许,则返回 FALSE
  • 实现hook_form_alter()来修改和删除node_edit表单上的按钮,如果my_module_can_delete($user)
  • 实现hook_form_alter()来修改确认在 /node/%nid/delete 上调用的表单,并在那里添加一条消息,告诉用户他或她 my_module_can_delete($user)。这应该足够了,因为禁用此表单将导致用户无法通过此表单。 FORM-API 会处理这个问题。

但是,您可以使其更加坚固,以捕获其他删除模块:

  • 实现 hook_nodeapi()$op == 'delete' 来捕获删除操作并停止(通过调用drupal_goto(),或调用 drupal_access_denied() 来强制执行用户错误。如果引用者是如上所述的删除确认表单,则仅捕获删除操作。 ,更安全,将您的 VBO 操作列入白名单,并在所有其他引用者上返回 false,通常可以通过读出传递给 hook_nodeapi() 的 $node 来找到引用者,

恕我直言,更干净,但可能更密集的替代方案是简单地确保

在模块中的每个删除操作上调用您的批次/操作,您可以通过避免所有 VBO 配置并保留所有额外的来做到这一点 。 - 删除其中的操作。
然后编写一个实现 hook_nodeapi() 的模块,然后从那里调用所有清理操作。这样您就可以确保任何节点上的每个删除操作都会调用您的删除操作。显然,您可以在 hook_nodeapi() 中添加一些条件,以便仅在某些情况下调用您的模块(节点类型、用户角色、权限等)。

The simple, but not-so-clean way, is the route you already took, but with an additional, small module to help it.

  • has a function my_module_can_delete($user), that returns TRUE if the user is allowed to delete, FALSE if the user is not.
  • implements hook_form_alter() to modify and delete the button on the node_edit form, if my_module_can_delete($user)
  • implements hook_form_alter() to modify the confirm form that is called on /node/%nid/delete, and add a message there, telling the user he or she my_module_can_delete($user). This should be enough, since disabling this form will result in users not being able to get past this form. FORM-API will take care of that.

However, you can make it more sturdy, to catch other deleting modules:

  • implements hook_nodeapi(), $op == 'delete' to catch delete actions and halt (by invoking drupal_goto(), or calling drupal_access_denied() to enforce a user-error. Only catch delete-actions if the referer was the delete-confirm-form as mentioned above. Or, more secure, whitelist your VBO-action and return false on all other referers. A referer can often be found by reading out the $node passed along to hook_nodeapi().

A, IMHO, much cleaner, but probably more intensive alternative, would be to simply make sure your batches/actions are called on every delete action.

In a module, you could do this by avoiding all the VBO-configuration and leaving all the extra-delete actions out of there.
Then write a module that implements hook_nodeapi() and then calls all the cleaning actions from there. That way you can be sure that your delete-actions are called on every delete-action on any node. Obviously you can add some conditions into your hook_nodeapi() to only invoke your modules in certain cases (node-types, user-roles, permissions and so on).

骄傲 2024-09-25 21:28:17

好吧,在我看来,您确实有一个设置,您不希望编辑角色用户删除某些内容,除非在某些极端情况下。这是我的建议:

1)安装 Flag 模块。创建一个只能由编辑角色人员分配的“待删除”标志。

2) 我还没有研究过它,但我确信可能有一个规则或触发器/操作组合,当分配“待删除”标志时,它将取消发布该节点。这将从临时视图中删除该节点3

) 然后设置一些 cron 运行活动(触发器/操作或规则)来删除设置了“待删除”标志的节点,或者偶尔让另一个具有更高权限的用户进来并删除标记的项目

。这样您实际上并没有绕过权限系统,但内容仍然会从您的网站中删除。

Well, it seems to me that you've got a setup where you don't want Editor Role users to delete things, really, except in certain extreme situations. Here's my suggestion:

1) Install Flag module. Create a 'To Be Deleted' flag that can only be assigned by Editor Role people.

2) I haven't looked into it, but I"m sure there's probably a rule or trigger/action combo which will unpublish the node when the 'To Be Deleted' flag is assigned to it. This will remove the node from casual view.

3) Then either set up some cron run activity (trigger/action or rule) to delete nodes with 'To Be Deleted' flag set on them, or have another user with higher permissions come in occasionally and delete out the flagged items.

This way you're not actually bypassing the permissions system, and yet things are still being removed from your site.

抱猫软卧 2024-09-25 21:28:17

我有一段时间陷入了这个困境,直到我注意到“actions_permissions”模块,启用此模块,然后在“权限”页面上,您可以按角色提供对特定操作的访问权限。

I got caught out of this for a while until I noticed the "actions_permissions" module, enable this and on the Permissions page you can provide access to specific actions on a role by role basis.

绝影如岚 2024-09-25 21:28:17

我没有一个好的无编码解决方案,而且我不确定我是否会称这个解决方案为“伟大” - 但一种方法可能是使用 form_alter 钩子实现一个简单的模块,该钩子从节点编辑中删除删除按钮形成时的形式。

一般来说,该角色似乎要么有权删除节点,要么没有权限,这样的胡闹可能会不如您所希望的那么健壮。

I don't have a good no-coding solution, and I'm not sure I would call this solution "great" - but one way might be to implement a simple module with a form_alter hook that removes the delete button from the node edit forms as they are built.

In general it seems like the role either has permission to delete nodes or not, and monkeying around like this is going to be less robust that you might like.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文