advanced drupal views access control
out of the box, the views module allows you to specify access to the view according to user role. this is a critical feature, but sometimes it's not enough. for example, sometimes you may want the view access to depend on the arguments to the view.
specifically, let's suppose that we have implemented facebook-style threaded mail, and we want to use a view to display all the messages in a thread. the thread id is an argument passed to the view. we only wish to allow the view to be accessed by one of the authors of the thread, or users with the 'administer messages' permission.
here's a three step approach to resolving this dilemna :
step one. create a new access hook in the views module
right after
// Administrator privileges
if (user_access('access all views', $account)) {
return TRUE;
}add
// Call a hook that lets a module define access permissions for the view
$access_func = "views_access_$view->name";
if(function_exists($access_func))
{
return $access_func($view);
}step two. implement your new hook
if your view is called message_thread then create a function views_access_message_thread($view) method.
step three. force views to NOT cache the access control settings for this view
okay, this part is a little hokey. the easiest way to do this is to tell the views module that your view has inline arguments. when you are defining the URL for your view in the views setting explicitly include the arguments, even if they occur at the end of the URL.
for example, if your page URL is view/message and then you are passing the thread id as an argument, define the page URL as view/message/$arg.
if you don't perform this step, then the views module will evaluate the access control for view/message/10 for a user, cache that result, and use that result for a subsequent request to view/message/34.
delicious
digg
reddit
google
yahoo
post new comment