Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member
We haven't talked much in this course about information security, although in practice, it should be your number one concern. For example, we've listed the birthday for each person in our family website, but there are many people who don't like others to know how old they are. Even more importantly, a criminal who knows both your name and birthdate might be able to use that information to impersonate you. So, using views and some additional access controls, we're going to hide that particular piece of information from the public at large, but leave it visible to people who have accounts on your family website.
To do this, we're going to stay logged in as the administrator in Firefox. However, I've also opened another browser, in my case Safari, and I haven't logged in. So, if I go to localhost, we can see the User login here. When I'm done, if everything goes right, we'll still see the date of birth in Firefox, but we won't in Safari. This date of birth appears in three places. First of all, it appears in the teaser as you see on this front page. Secondly, it appears in the full node when you click through to see the entire record of that person and thirdly, it appears in the People view that we created, and which is available at the URL, people.
Let's take care of first things first. We'll go back to our front page and hide that date of birth. You might remember that we do this by changing some settings in the Content type. To do that, go to Administer > Content management and Content types. Then we'll go to Person > Edit and Display fields and there's our Date of birth. I'm going to hide it both from the teaser and from the full node and I'm also going to hide the label by changing from Inline to Hidden and then click Save. Let's go back to our front page. Indeed it's hidden on the front page in the teaser view and it's hidden in the full node. However, it's still not hidden when we go to the view called People. There it is.
To make that change, we're going to have to edit that view. The easiest way of doing that is going up to this little ghost menu here and clicking Edit. We earlier named this page, Page for family. We're going to restrict that now so only people who are signed in can see that page. To do so, go down to Access and change from Unrestricted to those people who have the role of authenticated. As a side note, you can also restrict based on permission, which can get a little more complex. For now, we'll just go to Role and Update default display and then click authenticated user and click Update. Finally, we'll save that and to test, we'll go to that People page. Here in the signed in user it works.
Then we'll switch over to our anonymous user in Safari and see if we can get to that page. Indeed we can't. I'm going to make one more change in that view to see an additional feature of hiding views from anonymous users. So, I go back there and click on Edit and I'm going to add a menu, scroll down a little bit. [00:02:48.6 9] It will be a normal menu entry, it will say People and it will be in the primary menu which is the one in the upper right-hand corner in this theme. Click Update and Save. Now, you notice for the logged in user, we have this People link up here and that makes it a lot easier to go to that page.
If we switch back to our anonymous user and try to get there, we're not only denied from reaching the page, we also don't see the menu. Very useful. But let's give this anonymous user something to look at. To do that, we go back to our original view and edit it and I'm going to add a page display here. We already have a page for family. That's the one that shows the date of birth and everything else. Now, I'll create a more restrictive page for everyone. Add a page display, change the name of that page display so that it's page for everybody and click Update and finally, Save.
Now, you notice, we've got an error here because we created that page without a path. This is where the magic comes in. The Page for family is at the path People. I'm going to give the page for everybody the same exact path. Scroll down and say People and click Update and click Save. However, when I go back and edit it and make sure that I'm on the page for everybody, I'm then going to change the access. Now remember, this is in italics here. That means that it's copying the default display. We have to change that or we'll change it from Authenticated to Anonymous for every kind of display. So, I'll click there and we'll click Override and as always, I'd like to say Update after I override just to be sure.
Then we go up and click on the options for Access and change it from Authenticated user to Anonymous user and update. Finally, we save. Now, we have one page that authenticated users can see and another page at the same place that anonymous users can see. But at the moment, they both look exactly alike. Let's go back and edit that page for everybody and remove the fields that we don't want them to see. As you can see, they're in italics. So again, we're going to have to override. I'll click on Fields, scroll down, click on Override and Update. There, now we can change the fields viewed without ruining everything for the other displays. We want to get rid of that date of birth. So, we'll click on that, scroll down and remove. Finally, we go back up and save and let's test that. Here, we're logged in and we'll look at the People page. I'll just reload it to make sure everything is good.
Yup, we still see the date of birth. Now, when I switch over to our anonymous user and reload that People page, we see the same page without the date of birth. So, it really did work the way we wanted. Finally, we can go back to our original administrative view here and edit it and continue removing fields or in fact, we could change the style, so it's in a grid. We can do all sorts of things. I think I'm going to just remove the taxonomy terms, so that people don't know whether someone was born into the family or married into the family. And Update and Save. The last thing that you have to do for security is change the way that people can sign-up for the site. Very often people forget to do this and all of a sudden, they find they have all of these new users and they don't know who they are.
We'll go to Administer > User management and User settings. By default, Drupal lets anybody sign-up for a site with no administrator approval required. If you're going to secure a site like this, you also have to make sure that administrator approval is required or set it so that only site administrators can create new accounts. I'll do the more permissive one, which lets people apply for the site, but they have to be approved. Then I scroll to the bottom, click Save configuration and we've effectively secured our site. This example while effective is pretty simple.
But I think you could see that there are lot of ways you could go with this technique, in addition to adding security to your data-driven website. For example, we only use the built- in authenticated role, which includes everybody who has an account. But you could control access in several ways by using many different types of roles. In addition, on the Drupal.org website, there's over 100 access control modules available. To find them, go to Drupal.org, click on Modules and as you scroll down on the right-hand column, you'll see the categories User Access and Authentication and User management. For help in setting up those roles ,which is the key to having multi-level security, see the video "Controlling Site Access with User Management" in the Drupal Essential Training series from lynda.com.
Get unlimited access to all courses for just $25/month.Become a member
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.
Your file was successfully uploaded.