Building a Website with Drupal 6 – Part 9: Users, Roles, and Permissions
Welcome to part 9 of our tutorial on building a website with Drupal 6. Previously we covered:
Part 1: Introduction
Part 2: Installing Drupal 6
Part 3: Configuring your Site
Part 4: Playing with Blocks
Part 5: Playing with Modules
Part 6: Playing with Themes
Part 7: Installing Modules and Themes
Part 8: Pathauto, Content, and Content Types
As we go through this tutorials I am building a Drupal resource site called Learn Drupal.
So far our website looks something like this: (you can click on the images for a larger view)
In this post we’re going to start looking at the basics of the interaction part of our website. What do visitors to our website see when they land on the front page? What can they do with the content they see on our website? Do we want them to be able to interact with the website at all, or do we want them to come, see, read, and leave? Well, in the case of a business website that may be your intention. But in most cases, you want your users to interact with your website, to leave their thoughts on the content, maybe even to contribute content, to vote on polls, to comment on photos, maybe even to start and maintain their own page on your website. Well, it all starts with user management, which we’re going to talk about today.
As you can well imagine, the topic of user management and all its complexities is one too wide to be covered in one blog post. So in this post I am simply going to introduce you to the basics of how user management works in Drupal, what roles are, and how to set permissions and manage users on your site and how they interact with your website.
Permissions are a very important topic in Drupal. To illustrate, go to your site and logout. Then view the front page. Once I log out of Learn Drupal, this is what I see:
This is the view your visitor sees when they browse to your site. Incidentally, it’s easy to forget to check what your site visitor sees. We get so caught up developing and building our site that we forget that what we see is not necessarily what guests to our website will see, simply because being logged in gives us more access than a random visitor might have. So it’s important to log out every once in a while and make sure the visitor side of the website looks like you want it to.
As a good illustration of this point, look at our page. Everything looks fine except for one thing, the Contact form is not accessible, which means our site visitors have no way to talk to us and let us know what a fine job we’re doing. That’s not good. What’s the point of a contact form if no one can see it I ask you?
Now you may not want guests to be able to use the contact form, only registered users, but in my case, I want anyone and everyone to be able to contact me and tell me what a stellar job I’m doing at Learn Drupal. So this is definitely something I want to remedy.
If you’re observant, you probably also noticed that our search form has disappeared!
User Management Overview
Let’s go ahead and log back in and go into the Administer page. Once there, look at the section titled User Management.
Access Rules allow you to control access to your site by setting rules to allow certain users not to be able to register or log on to your site. We’re not going to go too much into this at this point, but we will revisit access rules at a later date.
Permissions define what a user can or cannot do on our website depending on what role they fall into.
By default, Drupal comes with two roles, “Anonymous User” and “Authenticated User”. The anonymous user is one who is not logged into the site, while the authenticated user is one who is registered and able to log into the account. You can create more roles depending on the kind and complexity of user interaction you want for your website. The permissions that are given to the authenticated user will trickle to all other roles that you create by default, so you should ensure that you select your permissions carefully. If you want ordinary members to have fewer permissions than a “contributor” or “moderator”, then you want to give the authenticated user the permissions that you want for the ordinary member, and then add more permissions to the contributor or moderator.
The permissions page gives you an overview of all the permissions, and allows you to set permissions for all roles in one place.
Roles defines a groups of users that have specific privileges as defined in user permissions. Examples of roles include: anonymous user, authenticated user, moderator, administrator and so on. On the Roles page, you define the role names of the various roles. You can also set the permissions for each role by selecting edit.
User Settings is where you can configure the default behavior of users, including registration requirements, e-mails, and user pictures.
Scroll through the page and see all the configurations you can set. Do you want to control who creates an account by moderating every user registration? Do you want your site to be by invitation only, i.e. visitors cannot create new accounts, you have to create all new accounts?” You can enter user registration guidelines, control what the text of the welcome email will say, whether users need to confirm their registration by email, etc. There are many options on that page and how you set them is a matter of personal preference.
Remember, if you select ” Visitors can create accounts but administrator approval is required”, you need to remember to check your email so that you can approve new users to your site.
Finally, the Users page lists the users on your site, and allows you to add, block, activate, delete, edit, and otherwise manage site users.
Look at that! I have users on my website. Wow! You can see that you can choose to see only particular users by using the filter tool. For example, you can choose to view only users who have certain permissions or who are blocked. You can also, on this page, look at each user’s activity and track what pages they’ve visited and what activities they’ve been involved in by clicking on edit.
This profile view is very plain, and we will learn how to spice it up later, but for now it gives you the basic information. It also allows you to track page visits for your a specific user if you need to contact that user, or to edit that user’s settings (e.g. if you need to block them for some time for one reason or another one, or to activate their account if you have set moderated registration).
So after that brief overview, let’s get into the nitty gritty of it, create some roles and adjust some permissions to manage user interaction on our site.
I want Learn Drupal to be an interactive site for members and site visitors alike. Since this is primarily a resource and learning site, I want site members to be able to create content, write comments, have discussions, and generally interact with each other. As members become more trusted and active on the site, I want them to have more permissions and be able to do more things, and I want to decide that on a case by case basis.
Creating Roles in Drupal 6
So I will start off by creating some roles.
Note: Ideally, it is considered best practice to not use your number 1 account, the one you created when you installed Drupal, for routine administrative tasks, because it’s a very powerful role and you can easily make an irreversible mistake. It’s always advisable to create a separate user for yourself with an admin role that you will use for admin stuff, and reserve the main ID1 account for major maintenance, upgrade, etc. tasks.
So I’m going to create a Site Administrator role for myself, or for whoever may eventually run this site. I will also create the following roles:
- Moderators – since this is going to be an intensively interactive site, I will need moderators who can go through the site and clean up stuff, delete spammy comments, remove inappropriate links, etc.
- Contributors – these will be users who can add content such as tutorials, can have blogs, and can contribute articles that will appear on the site.
I may add more roles as my site grows, but these will do for now. So let’s hop over to Administer -> User Management -> Roles, and create the roles first simply by adding them into the box at the bottom of the current roles and clicking “Add Role“:
I now have my three new roles, and I can edit them and edit their permissions. Clicking on “edit role” gives you the option to change the name of the role or to delete the role.
If you click on “edit permissions” you can set permissions specific to that role:
If you recall the Permissions screen that we saw earlier, the Permissions page allows you to set permissions for all roles on one page, but this page lets you set permissions for the particular role that you’re working with.
As you can see, our new roles have no permissions assigned to them yet, so we’re going to do that next. Instead of clicking on each role and editing it’s permissions separately, I want to see the big picture, so I will set the permissions on the main permissions page.
Setting Permissions on Drupal 6
On your site, navigate to Administer -> User Management -> Permissions
You can see new columns have been added for our new roles. All the roles you create for your users will appear here and you can set their permissions. Remember, any permissions you give to the authenticated user will apply to anyone who is logged into your site.
How you set the permissions here is, like I said, a matter of personal preference based on how you want your users to interact with your website. I want the Site Administrator to be able to do everything, so I check them all. In the next screenshots, I’m going to show you how I have set the permissions for my site. I will probably go back and fine-tune them, but this is how I’ve set them for now (remember you can click on the image for a larger view):
As you can see, setting permissions can be quite an intimidating task. It’s important as you plan your website to think about how you want your users and visitors to interact with your website, what roles you want authenticated users to play, and so on. The ability to create roles and assign permissions to those roles allows customizing how users interact with your site, and managing that interaction, which is a very powerful feature.
Before we call it a day, let’s go ahead and create that admin user that will allow me to do routine tasks without having to use my main ID1 account as I’ve been doing.
Adding a User in Drupal 6
Go into Administer -> User Management -> Users, and click on Add User
Then enter the user details for your the new user and assign that user the role of site administrator:
Then scroll down and click on “Create new account“. I didn’t select to send an email to notify the user of a new account since I’m creating this account for myself. If you have set your site so that you’re the only who can add users, you’ll probably want to check the “Notify user of new account” so your users know an account has been created for them.
If you now go back to Administer -> User Management -> Users, you’ll see the new user listed there, as well the role that they are assigned.
If you now want to assign specific roles other than “authenticated user” to any other user, just click on edit against their name and you’ll see an option to select a role for them.
One last thing, if we now log out of the website, and look at the front page, you’ll notice that the Contact link and the Search form are visible to all site visitors even if they’re not logged in (authenticated”), because we set permissions to allow anonymous users to search the site and access the contact form.
IMPORTANT TAKE-HOME POINTS:
- Any permissions you give to the authenticated user role will apply to anyone who is logged into your site… did I say that before? Oops!
- Anytime you enable a new module or create a new content type, you need to go to the Permissions page to set how you want your users to interact with that module or content type.
- Don’t use your ID1 account for routine admin tasks. Create another account for that and reserve your ID1 account for major site maintenance tasks.
- Drupal is fun and powerful.
- Think about what other roles you may want for your site, and what permissions you want the different roles to have. Add a couple of new roles to your site for practice (I know you can come up with some :))
- Create new users and assign them the different roles, and then log in as each different user and see if your permissions are working as you want them to. For example, if you designated a contributor role like I did, create a user who has the role of contributor and then log in as the contributor user and make sure you can create a blog entry, but not moderate content that you haven’t created, or any other task that the contributor should not be able to do. In other words, PLAY!
- Leave a comment here and let me know if this series if helping you and if you have any questions.
In the next segment, we’re going to look at our Reports section and see what information our Statistics module has collected on Learn Drupal, since it’s been online for a couple of weeks now. Until then, maintain your cool, and have fun with Drupal!