Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member
Once you've decided to allow memberships on your site, you may want to control how much those members can do when they're logged in. By default, they can't really do that much: just read content and comment on it. But you can give them more power by assigning them to a role and then adjusting those roles on a task-by-task basis. The first step in doing that is going up to the People page, by clicking on People, and then going to look at the permissions. These permissions are broken up so that each row is a specific task on your site, and each column is a different role.
You can see those roles by clicking this little button in the upper right-hand corner, and it's the same group as you saw on the previous page: anonymous user, authenticated user, and so forth. Now there are a few roles here that are always going to be there and you can't change. The first one is anonymous user. That's somebody who visits your site and hasn't signed in. The second is authenticated user. That's somebody who has created an account on Drupal Gardens and is now a member of your site. You can learn how people become members by watching the earlier video about user management.
The last kind of role here, site owner, is something that you can't turn on or off. It's the user that was created when you first made your site. It's what's called a super-user, and if you're used to using core Drupal, it's the one that doesn't actually show up. This would normally be hidden, but in Drupal Gardens it's shown. Administrator, blogger, and editor are three roles that you can change, and you can add your own roles as well. One thing to note about the authenticated user is it's anybody who has an account on your site, so that means a blogger is also an authenticated user, as is an editor.
Drupal takes this into account because when you click on that check box for the authenticated user, it turns on all of the ones above it. And then when you uncheck it, it remembers which ones were clicked before, which is very handy. I am going to demonstrate how to turn on and off a permission. Now it should be fairly clear. You simply check the task and the role that you want and then click down at the bottom to save the configuration. But just to show you how it works, I am going to go down to the Node group down here and the Access the content overview page.
I am going to let any authenticated users see that by checking there, scrolling to the bottom, and save permissions. Now, I have another browser window open with my user califanjoe, who is an authenticated user. I am going to take a look at that content page, which I happen to know is at admin/content, and now I can see everything on the site. Now you'll notice I can't do any operations. I can't edit or delete those nodes, but I can at least see them, and I can filter on them, and so forth.
If I go back here and take that away again, go down to Node and take away Access the content overview page, scroll down again, and save the configuration, now if I reload the page as califanjoe, I get nothing. I'm told that access is denied. That's the way that we want it. So that's how you can change individual permissions for members of a given role. But what if you want to move a member from one role to another? For example, let's say that you've been watching califanjoe for a while, and you've gotten to trust him, and you want to give him permission to start a blog.
That's pretty easy. I'll just go back to my Administrative page, click on People, go down to califanjoe, check his box, and then I can add a role. I can say okay, now he's a blogger. Then click Update. I can also do it, as you've seen in an earlier video, by clicking on Edit next to that user and adding the role on that user's profile page. But let's go back to our list of people. I want to point out a user down here that I didn't add. Now explorecalifornia is me, the administrator of this site.
This Gardens admin is something that Drupal Gardens added, and that you can't delete. You'll see there is no edit or delete here. This is for people at Acquia if they need to go in and fix anything on your site, but don't worry. I've never had any experience where they make any sort of changes unless there was something really wrong with the site, and I asked them to do so. But in any case you can't change it, so there's no need to pay any attention to it. Now, let's move on. Let's say that you want to put together a group of permissions that doesn't match any of the roles that already exists. And to take a look at those roles, I'll click on Permissions and then Roles. Nope, that's okay.
You can just add a role. You might remember that we added a content type earlier called Tour. Let's say that we want to allow certain users permission to create those tours, but we don't want them to have any other special roles. That is easy enough. I'm going to call this person a tourmaker, add the role, then go back to Permissions, and I now see tourmaker up here. I could go through, that person already has all of the authenticated user roles, I would go down to, let's see, it's under Node, and allow that person to create or edit tour content. There we go.
I'm actually not going to do that. Again, just to keep the site clean, I'll go back up and delete the role. Simple enough: down here, edit the role, and then delete it, and of course confirm. By the way, this is a great technique for building content on your site--that is, let your users do the work. It's called crowdsourcing, and it's essentially the wealth on which such sites as Yelp and Facebook rest. Watch out, though. If you give the permission too liberally, and you don't monitor your users, then you'll find that trolls and spammers and other vandals will start to abuse it.
I finally want to mention a few things to watch out for when you start playing with roles and permissions. Most important is that you revisit them whenever you turn on a new feature of your site, as you learned how to do in the video about adding and removing functionality. Second, be extremely wary of granting any permissions that have a label next to them that says give to trusted roles only. If we take a look through that look through that permissions list, you'll see that that's quite a few of these tasks. As we scroll down, see in the italics, it says it may have security implications, any other warning like that, be very careful about giving those away because they may allow somebody to actually take over your site.
Third, resist the urge to go wild and create a lot of roles. Only create them when you need to. Otherwise, you might find that you have too many check boxes here, and it becomes more and more confusing to control who can do what.
Get unlimited access to all courses for just $25/month.Become a member
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.