Ready to watch this entire course?
Become a member and get unlimited access to the entire skills library of over 4,900 courses, including more Developer and personalized recommendations.Start Your Free Trial Now
- View Offline
- Planning the data structure of a site
- Creating record templates with custom field types
- Connecting fields using references
- Sorting and filtering data
- Varying how a view appears in different displays
- Formatting views with grid, list, table, and jump
- Creating multi-part views using attachments
- Importing and exporting views
- Extending views with relationships
- Understanding and using location data
- Exporting data
Skill Level Intermediate
So we've created a list of our employees, but is that really something we want to make available to the whole world? Probably not. So I am going to make some changes to limit our access to it. Now, before I start I should mention that limiting access to a view is only one part of the security solution. The information will still be available and visitors will be able to find it by searching, but I will also point you to some resources for fixing those problems. To show this we need to look at our site as if we were a casual visitor. The way I did that is by opening a different browser program, not just a new window, but an entirely new program.
So I am looking at the site as an administrator here in Firefox, but then if I switch over to Google Chrome, you can see that I'm looking at it as if I'm a visitor, and we know that I'm a visitor because we have this User login over here. Another way to tell in Drupal is by typing user at the end of your domain. If you get this Login box, that means that you're not logged in already, whereas if I am a logged in user and I'm switching back here to Firefox, I see my own profile. A visitor who is not logged in is called an anonymous user in Drupal speak.
Those who are logged in are called authenticated users. Anyway, let's go back to our Employee list and start limiting access to it. As usual we go up and we Edit the view. Right now, we're just looking at the Page View, and you will notice that there's something under Page Settings for Access. We can limit Access either by Permission or by Role, and as you can see, we can limit it just to this display or to all displays. I will briefly explain the difference between Permissions and Roles, but for the full details see Drupal 7 Essential Training from lynda.com.
For us, I am going to change it to Role, and then Apply. We then have a choice of which roles we want to allow to see this page, and in fact, all of the displays. I am going to say that we only want authenticated users and the administrators to see it, not the non- logged in anonymous users. In fact, I will do that for all of my displays. So I do that and click Apply. We Save our view and then let's test it. Since we are an administrator, we can still see this both in the list and then in the block down here, but if we switch over to our Chrome browser, go back to the front page where remember we usually see a view. Access denied.
In fact, that block has also disappeared from this left column. So it works! That's just the basic solution, but there's a big problem with it. Each one of these records is a node in Drupal and we haven't actually limited the access to those nodes. If our visitor happens to know Drupal pretty well, they know that if they simply type node/ a number, they will get one of the nodes in the site. Let's try node/1. Yup! This visitor can still see the private information of poor Dani Smith and, furthermore, the data is searchable.
I can show you that by going back to the administrator site and giving that anonymous user the ability to search. It's not there by default, but many sites turn it on. We click People, and then go up to Permissions, and then scroll down until we get to the Search group, which is way down near the bottom. Let's let them use Search and Save. Now if we go back to Google Chrome and reload, we see a search box. If I do a search, for example, for office, holy cow, I see everything. I see people who work in the front office, in the back office, suddenly I still have access to all the stuff.
So you not only have to hide the view, but also the information itself. There is a nuclear option for doing that. You could simply turn off access to all content. I will go back to my administrative page and scroll down this list of Permissions. One of the permissions is View publish content. If I turn that off and Save, then I can go back to my site and reload. They can't see anything. If I were to try /node/1, I again get Access denied.
But in our case I am just going to go back and re-enable that permission. We may be using it later in the course. So View published content, I will let them see it again. I'm also going to turn off that Use search, just for safety's sake. Save permissions, and if we go back to Chrome, we are back the way we were. We can see individual nodes, but we can't search for them. There are several other ways that you can hide this content from anonymous users and some of them give you a lot more control. If you want to see them, go to the drupal.org Modules page.
You will find that at drupal.org/project/modules. Once there, Filter by the version of Drupal you have. In our case it's Drupal 7. Then under Categories look at Content Access Control and search. Wow! 40 Modules that let you limit the access. The one that I'm going to show you very quickly is called Nodeaccess. You might find that one of the others fits your needs better, so don't be shy about looking around and trying all of these if node access doesn't do what you want. It's at drupal.org/project/nodeaccess. I'll scroll down and install it the usual way.
Right-click on the gz file, Copy it, go back to my site, Modules, and Install. I then Enable it. Scroll down until I see it in the Other group. I Enable it and Save. When you've done that it gives us a warning. We have to rebuild permissions. So I'll go ahead and do that, and then we go on to configure it. Click Configuration and Nodeaccess. The one that we want to control for is Employee. So I click that link and remove the View permission from anonymous users. It's that simple.
Go down and Save Grants. Once again we rebuild permissions and now we've blocked all the access that we had before for anonymous users. If we were to try to go to node/1 again, nope, still Access denied. Terrific! We've now installed basic data protection on our site, but if the information is really important, you can't stop there, because there are still some potential holes. For example, we haven't prevented other roles from accessing employee information, and going even deeper, anyone who can look at certain files on the server will be able to get all of that data as well.
Fortunately, the Drupal community has really stepped up to the plate and provided a lot of information about security. Your first stop, as always, is drupal.org. Once there, search for security. To narrow it down further, you can take a look at some of the groups available by clicking here, Best Practices and so forth, or you can look at the documentation, Securing your site, that's a good place to start. If you prefer books, Cracking Drupal puts it all in one place. You can learn about that book at crackingdrupal.com.
But for most data protection purposes the lessons you saw in this video should be enough.