Access control in Drupal 8 with the Rabbit Hole module
Your website’s pages live in the World Wide Web. However, not all of them should always be displayed to users just as they are. There are plenty of reasons to control how they are accessed and displayed.
In this post, we explain why, as well as describe how your website can benefit from one of the most interesting Drupal 8 modules for user access and page display control — the Rabbit Hole.
Why is page access control important?
There are a few nuances of page access control, some of which may not be obvious at first glance. Let’s look at a few.
- Website page access control enhances your website’s security by prohibiting the views of restricted pages. They may contain sensitive or personal information that should not be seen.
- Being able to control page access allows you to create interesting access-based functionality (like subscription content).
- This takes care of your website’s attractive look. Sometimes there are “building blocks” of a page layout that should not be seen by users because, for example, they are not properly themed.
- For similar reasons, some pages should be hidden from from indexing by the search engines, so page access control also helps your SEO.
All these and many other tasks can be entrusted to the Rabbit Hole module in Drupal 8. You can always rely on our Drupal development team for installing and configuring it on your website and taking care of all page access nuances. In the meantime, let’s take a tour of how the module works.
The essence of the Rabbit Hole module in Drupal
The Rabbit Hole module in Drupal really stands out from other modules by offering interesting options of what happens when someone is viewing a particular Drupal page (or entity).
Instead of displaying the Drupal entity, the module can:
- redirect the user to another page (with the possible use of tokens)
- show “Page not found”
- show “Access denied”
This Drupal module’s name might remind you of Alice in Wonderland's story or the concept of parallel universes. The expression “go down the rabbit hole” often means getting into a surreal situation. All this makes sense — with the Rabbit Hole module, your Drupal entities exist but their display is different.
A few common scenarios (specifically from the Drupal point of view):
- You want to grant or deny user access to entity types or specific Drupal entities based on user roles — for example, to display paid content to users with a subscription. Special user roles can be allowed to bypass the Rabbit Hole action.
- You want to hide the full display of nodes that only serve as building blocks for a Views slideshow or other Drupal page. They also should not be indexed by Google.
So let’s take a closer look at how it works and go down the rabbit hole a little bit.
How the Rabbit Hole module in Drupal 8 works
Rabbit Hole module installation
The Rabbit Hole is a complex Drupal module that works with different types of entities — nodes, taxonomy terms, users, etc.
When installed, it offers a bunch of submodules to be enabled alongside the main module. For most common situations, i.e. for working with content, we need the “Rabbit Hole nodes” submodule enabled. However, it depends on the task.
Being able to control page access allows you to create interesting access-based functionality (like subscription content).
Rabbit Hole module configuration
1. Rabbit hole settings for an entity type
The module’s page display and user access control settings are found in the entity type’s “Edit” page. You can set the behavior as:
- Page redirect
- Display the page
- Page not found
- Access denied
After selecting the behavior and clicking “Save,” you can check the result by opening the node page in an incognito window. You cannot see the result as admin, because the admin has the default permission to bypass the Rabbit Hole action.
2. The special “Page redirect” option
If the “Page redirect” option is selected, we can enter the redirect path or use available tokens. To do the latter, the Token Drupal module also needs to be installed.
Using page redirect, we can, for example:
- redirect the users to the specially created subscription page asking them to subscribe to view the content
- use one of the tokens like [site:login-url] that will take the user to the login page showing them they need to register to view the content
- redirect the users from the individual nodes that are part of the slideshow to the slideshow page itself or the homepage.
3. Rabbit hole settings for an individual entity
On the same dashboard, you can also check or uncheck “Allow these settings to be overridden for individual entities.”
With this enabled, Drupal Rabbit Hole settings are also found on the particular entity’s “Edit” page.
4. Rabbit Hole permissions
To give permissions for particular roles to bypass Rabbit Hole action or to administer its settings, go to People — Permissions.
For example, you can create the VIP user role who will be able to view the specific content type, while others will see “Access denied,” be redirected to a subscription page, or login page.
Use the best options for access control in Drupal 8
There are no limits to how deep this rabbit hole goes. The most fine-grained scenarios of page display and user access control in Drupal 8 are possible with the Rabbit Hole module.
Just ask our Drupal team to create them for you, configure the module, or develop custom modules for your specific ideas!