A user is anyone who visits your website, including you, whether or not they have an account on the site. Drupal manages what different users can view and do on your site through an access control system that uses roles and permissions. Permissions are very granular and determine specific access, like “administer users”, while roles bundle sets of permissions together to make them easier to assign to different users. Drupal core comes with 3 default roles: anonymous, authenticated, and administrator. You can add to this list and customize the permissions for all of them.
As a module developer, you can programmatically get information about users. You can also add your own custom permissions to the site to allow or restrict access to features or tasks.
Example tasks
- Create a new user
- Allow a user to create content
- Define a role with a limited set of permissions
Confidence
This is a stable core feature.
Drupalize.Me resources
How to change user account registration settings.
For module developers
Want to know if the person that's viewing your custom block is authenticated? Need to change the elements visible on the page based on a user's permissions or roles? Want to display a welcome message for users returning to your site?
All of these things require knowing who the user is that's currently accessing a page. This can be accomplished by using the current_user service to load an object that contains information about the current user as well as methods for checking permissions, and retrieving additional information.
In this tutorial we'll:
- Define what "current user" means
- Use the
current_userservice to retrieve an implementation of\Drupal\Core\Session\AccountInterface - Retrieve information about, and check the permissions of, the current user
By the end of this tutorial you should be able to retrieve and make use of information about the applications current user in order to perform logic in your code that customizes the response for different users.
If you've ever built or administered a Drupal site, the permissions page (/admin/people/permissions) is probably quite familiar.
If you're new to module development, you may wonder where these permissions come from, and how you can specify your own permissions. In this tutorial we'll answer those questions.
First, we'll look at how to define permissions from within a custom module. We'll examine techniques that enable you to provide specific (static) permissions as well as dynamic permissions, which depend on another piece of data, such as the name of a content type. By the end of this tutorial you will understand how to add both static and dynamic permissions to a custom module.
Drupal 7
One of the most powerful features of Drupal is its rich, fine-grained access control system, based around the concept of users, roles, and permissions. In this lesson we'll explain what these pieces are, and how they work together. We'll also discuss the user profile and various user account settings we can manipulate.
Additional resources
For our Mom and Pop site, we're going to need to sort out how to set up access control for our users. In this lesson we'll review our users and their access needs, check and create the roles we need, and then create users.
Additional resources
With roles and users in place on the site, we have a good start, but we aren't actually controlling access very well until we set up the permissions to go with those. In this lesson we need to set permissions for our roles, and take a look at some important security concerns around permissions. Finally, we'll test our access control by logging in as our users to make sure everything is acting as it should.
Additional resources
In this chapter we talk about the powerful and flexible user system in Drupal. We'll create new users and roles, and walk through how the permissions work with them.
External resources
-
User accounts, permissions, and roles API (api.drupal.org)
- This is the official API documentation for developers who need to work with user accounts, access checking, roles, and permissions.