Token Content Access

Token Content Access (TCA) allows you to restrict access to individual entities and Views using URL tokens. In order to view protected entities or Views, users must provide a unique token via the URL.

This allows entities to be published and viewable to anonymous users (for instance with a special link from an email campaign) but not visible to the public at large.

For the purposes of describing the functionality we use the terminology used in the included Token Content Access Nodes module but the principles would be applicable for any other implemented entity and bundles within that entity (node = entity, content type = bundle).

Features

• Permissions are provided to:

  • Administer global TCA settings

  • Administer TCA Views Protection

  • Bypass TCA Views Protection

  • For each implemented entity based module (e.g. Token Content Access Nodes):

    • Administer TCA settings for Nodes and for individual Content Types.

    • Bypass the TCA protection for all nodes of that content type.

    • Bypass the TCA protection for a Content Type.

• Configure the parameter key (e.g. in this URL: 'about?tca=token', 'tca' is the parameter key) to meet your use cases and/or to make brute force attacks harder:

  • The site default in the module settings.

  • For each Content Type.

  • For each View protected by TCA.

• Flood control to make it harder for brute force attempts to find the token. It is configurable for:

  • IP Address

  • Node or View

• Configure for each Content Type:

  • Whether TCA protect will be enforced for all nodes in a content type; this will only apply to nodes created or edited after this setting is applied.

  • Whether the token can be overridden for Nodes in that content type.

• By default, the token is a 43-character URL-safe token. However, it can be overridden in the following ways:

  • A manually entered token; this will be validated to ensure it is safe for URLs.

  • Copied from another protected Node (this is defined in the Token Content Access Nodes module but the implementation could be copied for other modules).

  • Copied from the parent item within a book or the top of the book (this is defined in the Token Content Access Nodes module). 

• By default, protected Nodes are removed from Views results, however there is a switch within the View Display settings, 'Token Content Access Node Override', that allows otherwise protected nodes to be included in a View.

• If you have the Views Bulk Operations module installed, you can create a view with Bulk Operations to either 'Add Token Content Access to Nodes' or 'Remove Token Content Access from nodes'.

• Protect a View even if the nodes or other entities aren't protected (if nodes are protected in the View, use the TCA Node Override switch to avoid having to have multiple tokens).

• Stores an authenticated token submitted within the URL in the session so that a user, even an anonymous user, can access multiple entities or Views that use the same token; the token is removed from the session when it ends or if an unsuccessful attempt to authenticate another token is made.

This module is designed with performance in mind, so it doesn't use traditional solutions like node grants. This also means that it's not guaranteed to block access in all situations, for instance, if you expose node content via means other than Views such as using the "Existing content" block in a layout or in an Entity Reference field.

Key locations

• Backdrop CMS Project Page
• Usage statistics
• GitHub Project Page
• GitHub Issue Queue