I launched a new site yesterday for a client. It's a restricted content site. Users are only allowed to view certain content types after creating an account.
The simplest most straightforward way to limit access to individual content types is by implementing the Content Access module. The module adds an Access Control tab to the content type which allows fine-grained permission control for viewing and editing each content type.
The site, however, also uses the LoginToboggan module to assign new, but unverified, users to an intermediate, or non-authorized, role. I called this role "Not verified". Pretty original, I know.
So the new user sign-up and get on with viewing content process looks like this:
- User creates account
- Account is assigned to Not verified role, whose "View Content Type" box is checked under the Content Access Control module's Access Content tab screen
- User is redirected to the home page after account creation
The result: Access Denied
I was shocked to find that all new users being registered to the site were seeing Access Denied for all content on the site! Even the home page returned Error 403.
The problem was that the Access Control module does not supersede Drupal's own access controls. The site's "Not verified" users did not have the "View published content" permission and so were unable to view ANY site content at all until the account verification process was completed.
