Roles

Users have roles that define what kinds of actions they can take. Roles define classes of users such as anonymous user, authenticated user, moderator, administrator and so on. Every user can have one role.

Roles make it easier for you to manage security. Instead of defining what every single user can do, you can simply set a couple different permissions for different user roles.

Drupal comes with three built-in roles:

Anonymous user: this role is used for users that don't have a user account or that are not authenticated.
Registered user: this role is assigned automatically to authenticated users. Most users will belong to this user role unless specified otherwise.

For basic Drupal sites you can get by with anonymous user and authenticated user but for more complex sites where you want other users to be able to perform maintainance or administrative duties, you may want to create your own roles to classify your users into different groups.

Permissions

Each Drupal's permission describes a fine-grained logical operation such as access administration pages or add and modify user accounts. You could say a permission represents access granted to a user to perform a set of operations.

Access control

Roles tie users to permissions. The combination of roles and permissions represent a way to tie user authorization to the performance of actions, which is how Drupal can determine what users can do.

roles and permissions"; } return $links ? $links : array(); } function access_get_role($rid) { return db_fetch_array(db_query("SELECT * FROM role WHERE rid = '". check_input($rid) ."'")); } function access_get_roles() { $result = db_query("SELECT * FROM role ORDER BY name"); while ($role = db_fetch_object($result)) { $roles[$role->name] = $role->name; } return $roles; } function access_role_form($edit = array()) { global $REQUEST_URI; $form .= form_textfield("Role name", "name", $edit[name], 50, 64, "The name for this role. Example: 'moderator', 'editorial board', 'site architect'."); $form .= form_submit("Submit"); if ($edit[rid]) { $form .= form_submit(t("Delete")); $form .= form_hidden("rid", $edit[rid]); } return form($REQUEST_URI, $form); } function access_role_save($edit) { if ($edit[rid] && $edit[name]) { db_query("UPDATE role SET name = '". check_input($edit[name]) ."' WHERE rid = '$edit[rid]'"); } else if ($edit[rid]) { db_query("DELETE FROM role WHERE rid = '". check_input($edit[rid]) ."'"); } else { db_query("INSERT INTO role (name) VALUES ('". check_input($edit[name]) ."')"); } } function access_role_view() { $result = db_query("SELECT * FROM role ORDER BY name"); $output .= "\n"; $output .= " \n"; while ($role = db_fetch_object($result)) { $output .= "\n"; } $output .= "

name	operations
". check_output($role->name) ."	rid\">edit role

\n"; return $output; } function access_perm_form() { global $REQUEST_URI; // Compile permission array: foreach (module_list() as $name) { if (module_hook($name, "perm")) { $perms = array_merge($perms, module_invoke($name, "perm")); } } asort($perms); // Compile role array: $result = db_query("SELECT * FROM role ORDER BY name"); while ($role = db_fetch_object($result)) $roles[$role->name] = $role->perm; // Render roles / permission table: $output .= "\n"; $output .= " \n"; foreach ($perms as $perm) { $output .= " \n"; $output .= " \n"; foreach ($roles as $name => $value) { $output .= " \n"; } $output .= " \n"; } $output .= "

	". implode("	", array_keys($roles)) ."
". check_output($perm) ."

\n"; $output .= form_submit("Save permissions"); return form($REQUEST_URI, $output); } function access_perm_save($edit) { $result = db_query("SELECT * FROM role"); while ($role = db_fetch_object($result)) { $perm = $edit[$role->name] ? implode(", ", array_keys($edit[$role->name])) : ""; db_query("UPDATE role SET perm = '$perm' WHERE name = '$role->name'"); } return "permissions have been saved."; } function access_init() { $role = db_fetch_object(db_query("SELECT * FROM role WHERE name = 'anonymous user'")); if (!$role) db_query("INSERT INTO role (name) VALUES ('anonymous user')"); $role = db_fetch_object(db_query("SELECT * FROM role WHERE name = 'authenticated user'")); if (!$role) db_query("INSERT INTO role (name) VALUES ('authenticated user')"); } function access_admin() { global $edit, $op, $id; if (user_access("administer roles and permissions")) { print "add new role | role overview | permission overview | help

\n"; access_init(); switch ($op) { case "add": print access_role_form(); break; case "edit": print access_role_form(access_get_role($id)); break; case "help": print access_help(); break; case "Delete": $edit[name] = 0; // fall through: case "Submit": print status(access_role_save($edit)); // fall through: case "role": print access_role_view(); break; case "Save permissions": print status(access_perm_save($edit)); // fall through: default: print access_perm_form(); } } else { print message_access(); } } ?>