RDKsoftware and web development

I am having problems with Roles and Permissions. There is a node that can be edited when the user has one role, but not when a role with the same permissions is used.

I got it working on my development platter and learned a bit about roles and access permissions.

What has me stumped right now is that when I copy the system from my desktop to the live server. I copy the programs, database, and rebuild the node access permissions (see below). But so far, it's a no go.

This is the first time I've seen a difference between the XAMPP servers on my desktop and the live server at GoDaddy.

On the desktop, I found that the way I was changing roles confused the system so I needed to refresh them. But that wasn't enough for the live site.

NOCCC's use of roles and permissions
The current configuration of roles works in a hierarchical manner to allow for the site to be maintained with the collaboration of several people. That way the site is controlled by the club but is not reliant upon one person for each task. Any member of the board can jump in at any time.

Here's a quick overview;

• Anonymous and authenticated users can only read/access data that is considered incidental.
• Members can do a few more tasks and can see information that is a little more important.
• There are a few roles with special permissions to change some of that information.
• Board members can change most of the content and moderate the site as they see fit. There are a few pieces of content that are a security risk and its access is limited.
• Just a few board members are given the privileges needed to edit all content and they can act as moderators/editors of everything except the site's layout and configuration.
• Only the Administrator can change the layout and configuration of the site, and the role assignments.

I set it up this way since I wanted to separate the powers to do the tasks, give each person only as much power as they need, and make it easy to change from role to role.

This kind of approach works since every user in a Drupal site gets the sum of all permissions of the rows they have.

I originally had one special role to moderate the site but decided to give those powers to all on the board so I simply changed the board role.

problems on my local server
On my local machine I had problems that looked like the system wasn't seeing the changes. After doing some research online I found I needed to rebuild the node access permissions. He is what I did:

1. log on as administrator
2. create some kind of content
3. set the input filter to PHP
4. put the following line in the body.
   <?php
   node_access_rebuild();
   ?>
5. previewed the content

problems on the live server
Since it worked on one server and not the other I tried migrating the tables/programs that changed from one to another.

• copied the custom node I was working on using GoDaddies control panel
• changed the permissions, role, and user table in the server to reflect what I have on the desktop
1. exported both the structure and the data from my desktop with 'drop if exist' used to an SQL file
2. imported above SQL file into the live database
3. rebuilt the permissions as above

It still didn't work on the live server so I verified that the changes I made existed on both servers; both that the program had the correct changes, that the users had the correct roles, and the roles had the correct permissions.

Still nothing so since I had synced the local copy with the live copy earlier went ahead and copied my whole local installation across to the live server. I FTP'd the whole site, merged the whole database, and rebuilt the node access.

Still no go so now I am stumped.

possible causes and next steps
There seems to be a difference between the way my local server works and the way the live one does. I can only think of two possible causes; there is a race condition that my local server can handle but the live server can't, or maybe I've run the rebuild too often on the live server.

The recent DNS problems may be causing the race condition. I've seen other sites are much slower. I hear fixes to the DNS problem can cause that is some situations.

I seem to remember reading that the idea that node access can only be rebuilt a certain number of times. I have to do more research on this one, but this is a potential problem. Now how do I undo it?

Well, at least I've learned that my approach to roles is correct and the need to rebuild when permissions have been changed significantly.

For now I will change the data on the club's live server so it works, but I still want to delegate the job to others so the site can be run without my interaction.

update: 08-05-2008
Ok, I found the problem. Or at least part of it.

It seems that what was wrong was I was using an input format (complete HTML) in the node that was not viewable by the role for the board. So I had a choice; allow board members to see the powerful filter, or use a less powerful filter in that node, or add the tags I need to the less powerful filter. Temporarily I changed the filter so that the board members could see it.

Now it is working but there are a couple of lingering questions.

• Why did this happen even though I did a complete copy and database transfer? My guess is that I messed something up somewhere at this point and I'll have to look at the SQL file more closely.
• Is there any safe way of using a table in a page node? Tables were the only reason I used a more powerful input format. I have to look for a contributed filter or think about how I would do it myself. But tables can be mis-used for XSS purposes and should not be allowed except for administrative purposes.
• Should all SIG leaders have permissions to use tables? I'm a SIG leader and the administrator so I have special permissions. But I don't want other SIG leaders to have these permission so I shouldn't be. But tables are a valid concern since information is sometimes best shown in a tabular manner. If I need to use them then maybe I need to allow all SIG leaders to use them.
• Should board members be trusted with complete HTML? At first I didn't want to give board members the right to enter all HTML since it can be a security risk. But I decided to allow it since we should be trusting the board and if an unscrupulous person became a board member then we would have more problems. My only concern now is that board members might make a mistake.