Today I was working on an intranet site using Open Atrium. Our client wanted to post their employee handbook on the intranet using the atrium notebook module. The problem is that, by default, all authenticated users are able to post a handbook item. Obviously, this wouldn't work with an employee being able to modify the employee handbook online.
First, I went to the 'admin/user/permissions' page and disallowed the 'create new books' and 'add content to books' permissions for my newly created 'Employee' role. Upon testing an employee user, they were still able to add book content. Hmmm?
After further investigation I discovered this article that basically said that the permissions are set using the Features module and to change them would require using a hook provided by the features module.
Enter hook_user_default_permissions_alter()
Using hook_user_default_permissions_alter() in a custom module, I was able to add the roles I wanted to the book permissions, excluding the 'employee' role. This code allows users in the 'Employee' role to view the book pages and prevents them from adding/editing/deleting books. Perfect! The finished code looks like this:
/*
* Implements hook_user_default_permissions_alter()
*
*/
function MYMODULE_user_default_permissions_alter(&$permissions) {
// Give 'add content to books' permissions to all roles except 'employee'.
$permissions['add content to books'] = array(
'name' => 'add content to books',
'roles' => array(
'administrator',
'manager',
'committee member',
),
);
// Give 'create book content' permissions to all roles except 'employee'.
$permissions['create book content'] = array(
'name' => 'create book content',
'roles' => array(
'administrator',
'manager',
'committee member',
),
);
// Give 'create new books' permissions to all roles except 'employee'.
$permissions['create new books'] = array(
'name' => 'create new books',
'roles' => array(
'administrator',
'manager',
'committee member',
),
);
// Give 'edit any book content' permissions to all roles except 'employee'.
$permissions['edit any book content'] = array(
'name' => 'edit any book content',
'roles' => array(
'administrator',
'manager',
'committee member',
),
);
// Give 'delete any book content' permissions to all roles except 'employee'.
$permissions['delete any book content'] = array(
'name' => 'delete any book content',
'roles' => array(
'administrator',
'manager',
'committee member',
),
);
// Give 'delete own book content' permissions to all roles except 'employee'.
$permissions['delete own book content'] = array(
'name' => 'delete own book content',
'roles' => array(
'administrator',
'manager',
'committee member',
),
);
// Give 'administer book outlines' permissions to all roles except 'employee'.
$permissions['administer book outlines'] = array(
'name' => 'administer book outlines',
'roles' => array(
'administrator',
'manager',
'committee member',
),
);
}