Give access by comparing reference or by referencing users for the same node

Created on 24 April 2025, 8 days ago

Problem/Motivation

Today I tested and learned a lot with access_policy. I also watched the presentation "Attribute-Based Access Control in Drupal" on YouTube. Thanks for the great work!

I want to give access to content entities (nodes) of a section-like "Organization Context" with all users who reference this context. This works fine with a policy that compares the field values ​​and applies the policy if they match.
My Access rule is "Compare Organization Context with user".

I need to work in the Selection mode "dynamic" (under /admin/people/access-policies/node/settings).

But I want to share nodes to which this access policy has been applied with individual additional users for whom access is denied due to the policy. The users are referenced by the node for the purpose to give access.

I can't get this to work; the individual users always receive "Access denied," even though I have set a second access rule in the access policy to allow read and write access for users. "Field has reference to current user."

If I set this to a separate access policy even one access policy can be used for the node. Selection sets only seem t work in the Selection mode "manual".

So what can I do?

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

πŸ’¬ Support request
Status

Active

Version

2.0

Component

Miscellaneous

Created by

πŸ‡©πŸ‡ͺGermany marco.b

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @marco.b
  • πŸ‡©πŸ‡ͺGermany marco.b

    Improved description to make it clearer

  • πŸ‡ΊπŸ‡ΈUnited States partdigital

    Hi marco.b

    Right now the selection sets are not fully baked for dynamic mode. For example, it doesn't constrain which fields you can use if they are not supposed to be part of the same set. If you need to use selection sets I highly recommend using Manual mode.

    FWIW in version 2.0 I am currently working on the ability to use manual mode from the node edit page. You'll no longer need to go to the Access tab. This is to address a common issue where some users want to have more control of access on insert instead of update. Would that help with what you're trying to achieve?

  • πŸ‡©πŸ‡ͺGermany marco.b

    Hi partdigital, thanks for the reply.

    My bottleneck is that for my use case, I need to assign multiple access policies to some nodes, but I want this to happen dynamically by setting field values ​​or generally when creating nodes, without the user being able to influence it.

    An ECA module integration would be ideal for this, so that there is an ECA action that allows multiple access policies to be added to a node in an ECA model by entering the machine name, separated by commas.

    Would such an integration perhaps be of general interest?

  • πŸ‡©πŸ‡ͺGermany marco.b

    As far as I know all actions that are available in core are also available as actions in ECA.

    So maybe an action plugin that presents actions like "Assign access policy POLICE_NAME" could also be used as an ECA-Action and also as an action for node bulk editing of selected nodes in a view, isn't it?

Production build 0.71.5 2024