Want to get Lullabot article, videocast, and podcast announcements delivered right to your in-box?
Let us know your email address (we won't share it) and we'll let you know when anything exciting happens.
Private forums in Drupal: Forum Access vs. Taxonomy Access vs. Taxonomy Access Control Lite
Drupal version: 5.x
March 12, 2007
Introduction
Most people who use forum systems such as vBulletin or PHPBB are used to having lots of extra features that Drupal core's forums don't contain by default, including private messages, smilies, and BBcode. While all of those are available as contributed modules, there are two "must-have" forum features that are a bit trickier, since they deal with access control: private forums, and forum moderators.
Drupal core tends to have an "all or nothing" approach to these issues. Either a particular role can access all content on the site, or they can access none of it. Either a particular role can administer all forums, or they can administer none of them. Luckily, though, Drupal provides a number of hooks so that contributed modules can add in their own robust access handling.
This article will look at three modules that enhance forum privileges, and compare and contrast them: Forum Access, Taxonomy Access Control, and Taxonomy Access Control Lite.
Use case
Our use case is as follows:
We have four roles: anonymous user (users who aren't logged in), authenticated user (users who are logged in), moderator (users who moderate forums), and administrator (users who administer the site as a whole).
We also have three tiers of forums: administrative forums, that only members in the 'administrator' or 'moderator' roles can view and post to, member forums, which both anonymous and authenticated users can see, but only authenticated users can post to, and guest forums, which anyone can see and post to.
The 'moderator' role should be able to administer the member or guest forums, but only members in the 'administrator' role can moderate the administrative forums.
Here's a summary (click for larger view):
Primer on Drupal forum terminology
A quick vocabulary lesson: In Drupal, the forums are made up of three things:
- Forums themselves, which translate into technical terms as taxonomy terms in a taxonomy vocabulary
- Forum topics, which in Drupal-speak are nodes
- Forum replies, which "under the hood" are comments.
Therefore, when we talk about modules that can provide private forums, we refer to modules that can restrict access to forum topics and their replies based on the forum in which the topic was posted. In technical terms, we are talking about node access modules that use taxonomy in order to determine who has access to do what.
Just throwing this at you now, so when you see these words appear again in places below, it's not as scary. ;)
Forum Access
Forum Access is a module specifically designed for the problem at hand. It requires the ACL (Access Control List) module, and is for 5.x only. As of this writing, the newest versions are Forum Access 5.x-1.7 and ACL 5.x-1.3. The ACL module installs three tables (acl, acl_node, acl_user), and the Forum Access module one (forum_access).
You modify Forum Access settings by clicking "edit forum"/"edit container" from Administer >> Content management >> Forum (admin/content/forum).
For containers, you can specify which roles have permission to view the container (which affects the visibility of all forums beneath it), as well as a list of users who may act as moderators (this doesn't appear to have any effect at this level):
For forums, you can specify which roles have view, post, edit, and delete permissions, as well as the users who may act as moderators. You need to configure both the container and all sub-forum permissions, or else your users will receive an "access denied" message when they go to look at an individual forum (click for larger view):
Forum Access restricts the list of forums to only those the user has access to:
Pros: Forum Access is an easy to use module that does exactly what it says it should. The terminology it uses is specific to forums, making it an easy jump for people used to maintaining bulletin board systems. It supports moderation both by role (by giving a role edit and delete permissions on a forum) and by username.
Cons: Configuring permissions can be tedious if there are many forums, as there is no global default setting, and permissions made at the container level don't appear to cascade down to sub-forums. Forum Access does not support controlling access through taxonomy other than the Forums vocabulary; if your needs are more advanced, one of the Taxonomy Access modules may be a better fit.
Taxonomy Access Control
Taxonomy Access Control (TAC) provides extremely fine-grained permissions over any taxonomy vocabulary, including Forums. There are both 4.7.x and 5.x versions. At the time of this writing, there were no official releases of TAC. It installs two database tables: term_access and term_access_defaults. It also includes an uninstall routine, so that you can remove the module after experimenting with it if you need to.
You configure permissions at Administer >> Users >> Taxonomy Access permissions (admin/user/taxonomy_access). Each role has its own permission screen, containing a fieldset for each taxonomy vocabulary.
There's a lot going on with this screen. Essentially, you are describing the contexts in which a given role can View forum topics, Update (all) forum topics, Delete (all) forum topics, Create (post new) forum topics, or List the containers and forums from the main Forum screen.
Here's an annotated screenshot of how the anonymous role is configured for the above use case (click for larger view):
Because Taxonomy Access permissions cascade, if the forum container is not enabled for Listing or Creating, any sub-forums will also be inaccessible. Therefore, both the container and its sub-forums will appear when a new forum topic is posted:
Pros: Extremely powerful: fine-grained permissions, and applies to any vocabulary in the system, so can have totally separate access permissions for forums vs. stories, etc. Allows bulk editing of forum permissions (once per role), unlike Forum Access which requires editing forum permissions once per forum.
Cons: User interface is extremely complicated; not easy for people who just want to maintain private forums. Unlike Forum Access, containers are in the Forum list when a new forum topic is created. Not possible to create moderators by username; only roles.
Taxonomy Access Control Lite
Taxonomy Access Control Lite (TAC Lite) was written in response to the 'heavy' nature of Taxonomy Access Control, and aims to simplify the task of restricting access to nodes by taxonomy. At the time of writing, there were no official releases of TAC Lite, which has both 5.x and 4.7.x versions available. True to its name, it installs no database tables, and instead uses existing Drupal data to handle its access control.
This module's interface was a little hard to find: it's hidden under Administer >> User management >> Access control >> Access control by taxonomy. First, select the vocabulary/vocabularies you'd like to enable for access control. Then click the "Role-based privileges" tab to view a screen listing each role, along with the selection of forums:
Like TAC, forum access cascades, so both the container and the forum must be accessible to a given role, so when posting, the containers are in the forum list.
One advantage TAC Lite has over the other two solutions is the ability to base access off of individual users rather than roles. Each user will have a "tac_lite" tab under their user profile (for example, user/1/edit/tac_lite).
TAC Lite suffers from one fatal flaw for our use case, however: it only operates on view permissions, not update/delete, etc. Therefore, while it can create private forums, it can't provide forum moderators. In addition, it can't let anonymous users view the Member forums but not post in them, while still allowing them to post to the Guest forums.
Pros: Very simple interface. Allows permissions by user as well as by role. Allows selecting which vocabularies should be access-based. Can work for use cases other than forums.
Cons: Only supports restricting view permissions; can't be used as a forum moderator tool. When posting, shows both the container and forum.
Summary
So which one comes out on top?
Because it was built specifically to solve this problem, Forum Access is hands-down the easiest and most intuitive tool for managing forum permissions. Setting up those permissions, however, was rather tedious. It also is intended only for managing forum permissions, so it won't work on other vocabularies.
Taxonomy Access Control gives you immense power over every aspect of taxonomy-based permissions. You can control everything from viewing posts to showing the forum name in a list. This power comes at a steep price in usability, however; most people used to managing a forum such as PHPBB wouldn't be able to use this tool without a lot of help; the multitude of possible combinations of permissions mean there are lots of opportunities to make mistakes.
Taxonomy Access Control Lite isn't the right tool for solving our particular forum problem, as it only restricts view access to topics, not update and delete (moderators). However, if a use case came up where you only needed the private forum component, this could be a useful tool. Editing permissions is quick and easy, and you can make view exceptions for individual users, which is a feature neither of the other two modules have.
Recommendation: Use Forum Access if your access restriction needs are strictly related to forums. Use Taxonomy Access Control Lite if you have simple needs, but want to be able to control more vocabularies than just forums. And use Taxonomy Access Control if you need the ultimate power and flexibility over your content.
Comments
Does Organic Groups fit in to this or help in any way?
Thank you for your informative articles. They are very helpful to me in trying to figure out how to apply Drupal.
Being very new to Drupal I am trying to figure out how to handle the access issues this article addresses. In addition to forum access control, I would also like to enable certain people (or roles) to be able to post content to various categories, but not other places. As I have been searching the web, I notice that there seems to be a division in opinion between two solutions for access control: Taxonomy Access and Organic Groups (og). Since you didn't mention og, could you comment on where that might fit in, if it does in fact apply, and how that might address these access control problems.
Thank you.
OG is out of scope for this article...
...since it's intended to solve a different problem, which is effectively grouping collections of nodes together and applying access controls to the group (think Yahoo! groups). http://groups.drupal.org is the best example of Organic Groups usage: each group is essentially its own "mini-site" where you can post polls, blogs, etc. and set access to private (only members of the group can see) or public. You can also control who can post to the group, and place restrictions on who can become a member. There are many different ways to configure it, and could likely take up an entire article or screencast just on its own. :)
Although you could probably get private forum access going by combining OG + OG Forum, unless you need the group nature of OG, and are adding forums as an afterthought, that's probably overkill. If your intention is to only restrict content by category, Taxonomy Access or TAC Lite (depending on the depth of control you need) is probably better suited to the task. But experiment and see what works best for your needs!
to further press on a topic that is outside the scope
do you have any idea on the compatibility of og and tac?
I had no problem
I had no comptability problems when doing it myself. Everything played it's role pretty well, without conflicts ;)
OG + OG Multiple Mandatory Groups by Role
I have recently opted to use the OG module to provide custom private forums for on-campus organizations and it has been working quite well. However, I am quite tempted now to run a prototype with Forum Access to see how that fares in allowing the site administrator an easier way to manage their own forums.
The way I have it now, is that as someone registers for their site, the admin assigns them to a role before being activated, when this happens, the multiple mandatory groups by role module automatically 'joins' the user into the groups assigned to that role. This has worked very effectively for me because OG handles all of the node access controls and it also provides a feature that forums doesn't, it allows each user to subscribe to new posts via email alerts (anyone subscribing to a group on groups.drupal.org may be familiar with these).
Just like Forum Access, OG provides group ownership per individual, but it doesn't allow the edit/delete specific granularity that Forum Access does. OG simply marks a user as subscribed (they can add content and edit their own) or manager/owner (they can moderate all nodes in that group).
Overall OG isn't a bad route when it comes to using it for forum-esque communication, however, your implementation decision will likely come down to choosing a method which fits your end user/site admin, allowing them to manage user access lists easily and without messing them up.
(Also, using OG content type admin, you can specify which content types are allowed to be published per each group which we use to provide forums specifically for polls or calendar events, etc.)
Server load?
Did you do any research on server load? Did pages seem to load faster with any of the particular brands?
I ask because I also tinkered with TACLite and ForumAccess, and it seemed like my pages loaded much slower with TACLite. Of course, that could be because of any number of variables, but I didn't know if you ran into any of that in your testing.
Very informative! Thank you much!
Not yet....
That's a very good question.
ATM no... I'm just futzing in my local sandbox... this is actually for a hobby project, not for anything work-related. :) Which means it'll probably be months before I have some more free time to play with it. ;)
Any node access module is going to have performance implications, though. It involves extra joins and such.
HOWTO: Benchmark Drupal code has some tips on benchmarking code, and would be a good place to start for this type of analysis.
taxonomy_access = high load
Hey Cross+Flame,
I can only comment on taxonomy_access, which is indeed very heavy on a popular site/forum. I can't give you any stats but with about 50.000 unique users/day we opted to drop the idea of a private admin forum.
good news
The 5.2-dev version of TAC released on March 6 takes care of exactly this issue:
http://drupal.org/node/108752
Nice Writeup ... do you plan to do this for OG too?
Hi,
I really like that article. Do plan to do this for the OG features too? I can imagine a little series "How to set up your OG web site".
Greetings from Frankfurt
Roland
Sounds like there is interest in it...
I'll see what I can do. :)
access control gravitating toward acl?
thank you very much for writing this up, I had been struggling with all of the combinations of Category, Taxonomy, TAC, tac_lite, cac_lite, acl and forum_access.
ultimately we opted for acl + forum_access because of the special need to assign a moderator. this also got me thinking that other modules may have special access needs as well, so I could see almost a contrib module for each that is like_access that all worked through the acl api.
so wherever we need specialized permissions or fine / unique control over access to some functionality we can provide a specialized _access contrib for that module.
just a thought from Austin, TX.
bajakan
Using more than one
Great article!
Forum access sounds perfect for the forums. But what if you want to have some access control on other parts of the site? Is it possible to use FA for the forums and, for example, TAC on non-forum terms, or do they conflict?
Thanks,
Michelle
TAC and forum_access can play nice
TAC and forum_access can play nice together. I set this up on a site just last night! I enabled TAC, Forum, forum_access and acl. Then go into TAC and mark all your forums for read-> allow, the rest all ->ignore (allows forum_access to take over). This worked for me for all cases including not viewing forums that you don't have access to.
TAC is then used for all other vocabularies in a similar fashion, watch out for some modules like blog that have hooks into editing your own blog, for that I set TAC to ignore as well so those perms took over.
Hope this helps!
Thanks
Thanks for the answer. Sorry for the delay. Forgot to come back and look for responses. Oopsie.
Michelle
Best way to control user sign-up
Thanks for your informative post. I am planning a forum on my website about allergies. I started an experimental version of a forum on my desktop installation, and quickly ran in to exactly the sort of questions and problems that your article addresses. This will probably solve half the puzzle for me - when I get a chance in the next few days, I will do some experimenting.
The next question is how best to accept new users? I want to make it easy to join, but deter spammers and annoying irrelevant people who are looking for quick and easy places to post junk!
Yes, I could approve every single application, but I'd prefer to make it as automatic as possible.
Anyone have suggestions, pros and cons of different methods etc?
Thanks
Using taxonomy access, can
Using taxonomy access, can you make some part of the forum that authenticated users can both read and write to, and another part where they can only read posts but not reply?
I have tried, but the problem seems to be, that access to write comments is not inherited from the forum topic access settings?
Newbie question - ACL not showing up
Hi, I'm not sure I am asking in the right place and I only started using Drupal a day ago. So excuse me :)
At admin/site/modules, ACL has a tick next to it. But at admin/content/forum EDIT FORUM I don't have the options you have in the screenshot above. i.e. PARENT and then WEIGHT are the last ones, no ACCESS CONTROL
I am sure its a basic newbie error - something to do with taxonomy module maybe? This is very vanilla installation - the only other module added was pathauto, which I am still trying to work out how to configure for nice easy -to-read paths. :)
Anyway if anything occurs to you as to why ACL enabled would not show up the forum ACCESS CONTROL options, please let me know? thanks!
I'm an idiot n00b
I realised when I did some research that Access Control List is not the access control. That I need the forum access module in addition. I don't know how I missed that except I think I read your Forum Access as a heading instead of an actual module. I found the Forum Access module here http://drupal.org/project/forum_access
Once I scrolled up and read the first few paragraphs again, properly, and found the link, I was hunkydory. :) Thanks for a great tip!
Yikes! What about controlling comments!
Great article - I just tried implementing the Forum Access+ACL solution in a test site and found a major showstopper - it doesn't provide any control over comments in the forum.
Basically, it only gives the moderator control over a forum node but not any of the comments (which are a critical piece of any forum). This means that moderators can't do real moderation when a discussion gets out of hand or if someone spams the site with comment spam. The option becomes "do I delete a forum topic with ten comments or wait for a site admin". Both are not optimal...
Any ideas on how to get real forum moderation going in Drupal? I have a large site and moderation is becoming painful!
oooh exactly what i'm running into ....
i can't believe this isn't addressed somehow. it seems essential that any moderation would be on the comments as well. That's where the bulk of the content that you want moderated probly is.
anyone find solutions for this?
I was able to get the ACL I
I was able to get the ACL I required to forums on a site I just launched using nodeaccess. Can't remember where I found the recommendation, probably on a drupal.org forum.
Nodeaccess breaks out the permissions by roles across the following node types: Books, Forums, Images, Pages and Stories, without using taxonomy (I think), allowing/disallowing View, Edit and Delete.
It is simple to 'get', and very quick to configure.
Though it doesn't have the granularity of the above, I think it would satisfy the use case described.
Maybe it wasn't available at the time of this very helpful article, but there is now a 4.7 release and 5.x dev. I use the latter - which works just fine for me.
Thanks Angie/Lullabot!
Enable Administer->User MGT->access control
If you've gone straight into installing modules galore and are starting to configure your site, you must also enable forum access globally through
(drupal 5.1)
administer -> user management -> access control
Cheers
mylo
This is all great, but..
What about listing the forum and allowing view access but hiding the links within nodes, or maybe filtering the links to output just text. In my case the links are really the only thing I want to hide from anonymous users.
Otherwise is it possible to list all forums, but have the forum page say 'Access Denied' to anonymous users? Which module will do this?
Otherwise is it possible to
Otherwise is it possible to list all forums, but have the forum page say 'Access Denied' to anonymous users? Which module will do this?
Thanks for the answer. Sorry
Thanks for the answer. Sorry for the delay. Forgot to come back and look for responses. Oopsie.
Thanks for the answer. Sorry
Thanks for the answer. Sorry for the delay. Forgot to come back and look for responses. Oopsie.
Using taxonomy access, can
Using taxonomy access, can you make some part of the forum that authenticated users can both read and write to, and another part where they can only read posts but not reply?
I have tried, but the problem seems to be, that access to write comments is not inherited from the forum topic access settings?
Related question: Publish vs. Not published per forum (category)
Hi there.
Thanks for this great article. It's been very useful for me.
I did have another question however, Do you know of a way to set the default "published" vs. "not published" on a similar per-forum (taxonomy category) role?
In particular, i have a site that has a bunch of forums. Most of the forums are normal discussion forums that allow posting by members that are automatically published. However, we have a few "Announcement" forums that are moderated, so when a user posts to these announcement forums, an admin must approve (publish) or deny the posting.
In stock drupal, you can set the default published vs. not-published checkbox on a node type level, so you can turn to published or not-published for all forum posts, but i can't see a way to do that on a per-forum (category) level.
Do you know of a way where i can do this?
Thanks!
:)
Thank you for this article, will help me very much
Robert
Using taxonomy access, can
Using taxonomy access, can you make some part of the forum that authenticated users can both read and write to, and another part where they can only read posts but not reply?
I have tried, but the problem seems to be, that access to write comments is not inherited from the forum topic access settings
more on "using more than one"
above it was asked and answered that Forum Access CAN work with TAC.
What about Forum Access and TAC *Lite*, which I use on the balance of my site?
Can these two work together, and if so what settings should TAC Lite be set to so that Forum Access can handle the real work of forum control?
thanks in advance
re:
In particular, i have a site that has a bunch of forums. Most of the forums are normal discussion forums that allow posting by members that are automatically published. However, we have a few "Announcement" forums that are moderated, so when a user posts to these announcement forums, an admin must approve (publish) or deny the posting.
Its a problem for me :(
Hello all i install the module Taxonomy Access Control, but when i remove it before configuring it completely, the problem arise that both authenticated and anonymous users cant access any custom content that i made, but the contents by drupal can be accessed like /help and others ....
can any body help how can i remove this module and completely restore my old version
why it doesn't work with
why it doesn't work with me.....:(
i followed the orders step by step but it didn't work.... none authenticated nor anonymous users can see the forum or access it...why i don't know
i check access controll permission and taxonomy and roles and every thing ...but none is make it works
so what should i do
tell me??????
Great Article
Just say thanks
It`s a very good article, i would like to know if you have a home page or a site with more of this kind of articles because I`m starting with drupal and this information is really important to me.
Cesar Garcia
Colombia
derya ajans
thank you so mach. from on now
Drupal6?
When will these options become available for drupal6?
Are these options available
Are these options available yet for Drupal 6.x?
Are these options available yet for Drupal 6.x
I'm interested in too...
f?rat çölo?lu
thank you for share
Thank you
thank you,
I have had the exact same issues, and have been looking everywhere for the answer.
Thanks again.
Thank you.
Thank you for your work. This is a fantastic article.
Really Good! Thanks!
Wow, thanks Angie. This article is really good.
I wonder if something has changed since March 2007...
Thanks for a great article.
I am diving into this problem now using Drupal 6 - Forum Access Control. I'd like to have one user moderating one forum and another moderating another and letting other users join. I wondered what 'updated' solutions exist.
By the way - Forum Access is still in beta phase for Drupal 6.
Thanks, Nir.
good work
thank you so mach for you job. thx
Post new comment