by Angie Byron

Private forums in Drupal: Forum Access vs. Taxonomy Access vs. Taxonomy Access Control Lite


Most people who use forum systems such as vBulletin or PHPBB are used to having lots of extra features that Drupal core's forums don't contain by default, including private messages, smilies, and BBcode. While all of those are available as contributed modules, there are two "must-have" forum features that are a bit trickier, since they deal with access control: private forums, and forum moderators.

Drupal core tends to have an "all or nothing" approach to these issues. Either a particular role can access all content on the site, or they can access none of it. Either a particular role can administer all forums, or they can administer none of them. Luckily, though, Drupal provides a number of hooks so that contributed modules can add in their own robust access handling.

This article will look at three modules that enhance forum privileges, and compare and contrast them: Forum Access, Taxonomy Access Control, and Taxonomy Access Control Lite.

Use case

Our use case is as follows:

We have four roles: anonymous user (users who aren't logged in), authenticated user (users who are logged in), moderator (users who moderate forums), and administrator (users who administer the site as a whole).

We also have three tiers of forums: administrative forums, that only members in the 'administrator' or 'moderator' roles can view and post to, member forums, which both anonymous and authenticated users can see, but only authenticated users can post to, and guest forums, which anyone can see and post to.

The 'moderator' role should be able to administer the member or guest forums, but only members in the 'administrator' role can moderate the administrative forums.

Here's a summary (click for larger view):

Forum access use case.

Primer on Drupal forum terminology

A quick vocabulary lesson: In Drupal, the forums are made up of three things:

  • Forums themselves, which translate into technical terms as taxonomy terms in a taxonomy vocabulary
  • Forum topics, which in Drupal-speak are nodes
  • Forum replies, which "under the hood" are comments.

Therefore, when we talk about modules that can provide private forums, we refer to modules that can restrict access to forum topics and their replies based on the forum in which the topic was posted. In technical terms, we are talking about node access modules that use taxonomy in order to determine who has access to do what.

Just throwing this at you now, so when you see these words appear again in places below, it's not as scary. ;)

Forum Access

Forum Access is a module specifically designed for the problem at hand. It requires the ACL (Access Control List) module, and is for 5.x only. As of this writing, the newest versions are Forum Access 5.x-1.7 and ACL 5.x-1.3. The ACL module installs three tables (acl, acl_node, acl_user), and the Forum Access module one (forum_access).

You modify Forum Access settings by clicking "edit forum"/"edit container" from Administer >> Content management >> Forum (admin/content/forum).

For containers, you can specify which roles have permission to view the container (which affects the visibility of all forums beneath it), as well as a list of users who may act as moderators (this doesn't appear to have any effect at this level):

Forum Access on containers.

For forums, you can specify which roles have view, post, edit, and delete permissions, as well as the users who may act as moderators. You need to configure both the container and all sub-forum permissions, or else your users will receive an "access denied" message when they go to look at an individual forum (click for larger view):

Forum Access on forums.

Forum Access restricts the list of forums to only those the user has access to:

Forum Access while posting.

Pros: Forum Access is an easy to use module that does exactly what it says it should. The terminology it uses is specific to forums, making it an easy jump for people used to maintaining bulletin board systems. It supports moderation both by role (by giving a role edit and delete permissions on a forum) and by username.

Cons: Configuring permissions can be tedious if there are many forums, as there is no global default setting, and permissions made at the container level don't appear to cascade down to sub-forums. Forum Access does not support controlling access through taxonomy other than the Forums vocabulary; if your needs are more advanced, one of the Taxonomy Access modules may be a better fit.

Taxonomy Access Control

Taxonomy Access Control (TAC) provides extremely fine-grained permissions over any taxonomy vocabulary, including Forums. There are both 4.7.x and 5.x versions. At the time of this writing, there were no official releases of TAC. It installs two database tables: term_access and term_access_defaults. It also includes an uninstall routine, so that you can remove the module after experimenting with it if you need to.

You configure permissions at Administer >> Users >> Taxonomy Access permissions (admin/user/taxonomy_access). Each role has its own permission screen, containing a fieldset for each taxonomy vocabulary.

There's a lot going on with this screen. Essentially, you are describing the contexts in which a given role can View forum topics, Update (all) forum topics, Delete (all) forum topics, Create (post new) forum topics, or List the containers and forums from the main Forum screen.

Here's an annotated screenshot of how the anonymous role is configured for the above use case (click for larger view):

Taxonomy Access permissions

Because Taxonomy Access permissions cascade, if the forum container is not enabled for Listing or Creating, any sub-forums will also be inaccessible. Therefore, both the container and its sub-forums will appear when a new forum topic is posted:

Taxonomy Access posting

Pros: Extremely powerful: fine-grained permissions, and applies to any vocabulary in the system, so can have totally separate access permissions for forums vs. stories, etc. Allows bulk editing of forum permissions (once per role), unlike Forum Access which requires editing forum permissions once per forum.

Cons: User interface is extremely complicated; not easy for people who just want to maintain private forums. Unlike Forum Access, containers are in the Forum list when a new forum topic is created. Not possible to create moderators by username; only roles.

Taxonomy Access Control Lite

Taxonomy Access Control Lite (TAC Lite) was written in response to the 'heavy' nature of Taxonomy Access Control, and aims to simplify the task of restricting access to nodes by taxonomy. At the time of writing, there were no official releases of TAC Lite, which has both 5.x and 4.7.x versions available. True to its name, it installs no database tables, and instead uses existing Drupal data to handle its access control.

This module's interface was a little hard to find: it's hidden under Administer >> User management >> Access control >> Access control by taxonomy. First, select the vocabulary/vocabularies you'd like to enable for access control. Then click the "Role-based privileges" tab to view a screen listing each role, along with the selection of forums:

TAC Lite permissions

Like TAC, forum access cascades, so both the container and the forum must be accessible to a given role, so when posting, the containers are in the forum list.

One advantage TAC Lite has over the other two solutions is the ability to base access off of individual users rather than roles. Each user will have a "tac_lite" tab under their user profile (for example, user/1/edit/tac_lite).

TAC Lite suffers from one fatal flaw for our use case, however: it only operates on view permissions, not update/delete, etc. Therefore, while it can create private forums, it can't provide forum moderators. In addition, it can't let anonymous users view the Member forums but not post in them, while still allowing them to post to the Guest forums.

Pros: Very simple interface. Allows permissions by user as well as by role. Allows selecting which vocabularies should be access-based. Can work for use cases other than forums.

Cons: Only supports restricting view permissions; can't be used as a forum moderator tool. When posting, shows both the container and forum.


So which one comes out on top?

Because it was built specifically to solve this problem, Forum Access is hands-down the easiest and most intuitive tool for managing forum permissions. Setting up those permissions, however, was rather tedious. It also is intended only for managing forum permissions, so it won't work on other vocabularies.

Taxonomy Access Control gives you immense power over every aspect of taxonomy-based permissions. You can control everything from viewing posts to showing the forum name in a list. This power comes at a steep price in usability, however; most people used to managing a forum such as PHPBB wouldn't be able to use this tool without a lot of help; the multitude of possible combinations of permissions mean there are lots of opportunities to make mistakes.

Taxonomy Access Control Lite isn't the right tool for solving our particular forum problem, as it only restricts view access to topics, not update and delete (moderators). However, if a use case came up where you only needed the private forum component, this could be a useful tool. Editing permissions is quick and easy, and you can make view exceptions for individual users, which is a feature neither of the other two modules have.

Recommendation: Use Forum Access if your access restriction needs are strictly related to forums. Use Taxonomy Access Control Lite if you have simple needs, but want to be able to control more vocabularies than just forums. And use Taxonomy Access Control if you need the ultimate power and flexibility over your content.