Restricting Content Access in Drupal 8 using Permissions by Term

Now, for something different from my usual musings, a tech blog!

I recently started setting up a website for a casual gaming group I am part of. I decided to try Drupal as it seemed to have the ultimate flexibility I was looking for and I didn’t have time to code all the features I wanted into the site myself. As I got the ball rolling with Drupal 8, I became increasingly unhappy with the fact that Drupal had no way built into it’s Core to restrict content access to certain authenticated users or, in my case, members. You can use block configuration to limit the visibility of certain elements by roles, but it does not put a hard restriction on viewing the element if the user knows the address. By default, Drupal has several ways to restrict who can create and edit content but assumes that all published content can/should be seen by everyone.

To compound the problem, because Drupal 8 had been “recently” released (out for 4 months when I started with it), the module support for it had not caught up and none of the known modules that restricted access in Drupal 7 were ready for Drupal 8.  Eventually, a drupal community member named Peter Majmesku found he needed this functionality so badly that he created the module Permissions by Term:

Permissions by Term allows you to create a Taxonomy term in Drupal (like a tag) and then apply restrictions to that term by individual users or role groups. Then, any content to which you add a reference to the term will be restricted (i.e. viewable or editable) to only people you have specified.

Making it Work

To begin, install the Permissions by Term module the way you would any other Drupal 8 module using either the link or the download from the project page located at . Be sure to install/enable it so that it is checked in the Admin Menu > Extend list.


There are many different needs and use cases for restricting access to specific content. I imagine the most common will be that you have content on the site that you want accessible by authenticated users belonging to a specific role group but not the public. Going beyond this, you may want different role groups to be able to access different types of content. In any case, it’s a good idea to have the users, or at least the roles, exist in your system before you attempt to restrict access to them.


It also might be a good idea to grant users the role you intend to restrict access by, though not strictly necessary. You can, of course, add more roles and users after setting the permissions and alter the permissions after they have been specified. So don’t worry if you don’t have your entire permission structure fully baked. However, it would probably help to have a good idea about how you are going to want to organize access in the future before you start restricting it.


If you are satisfied that you know how you want to restrict access, the first step is to create a new Taxonomy vocabulary. This is basically creating a container for the various terms that you might use to restrict access in different ways. You could technically create different vocabularies, each with their own terms to be used for restricting access and your needs might demand it. But I think the most straightforward way to organize it would be to create a vocabulary called something like “Access Restrictions” that you use to put all the restricting terms in. You do this by going to Admin Menu > Structure > Taxonomy and click the + Add vocabulary button. Give your Vocabulary a name and a description of the types of terms it might contain. Once done, click Save.


You will then be presented with the terms associated with the new vocabulary, of which there will be none by default. Click the +Add Term button to add a new one.  You can call it whatever you think is appropriate, probably something descriptive of how you plan on using it to restrict access. If you are familiar with Drupal Taxonomy, you will notice a new section for the term called PERMISSIONS. This is where you can restrict access to any number of roles or specific users. Give the term a description, again a good choice would be something that indicates to whom access is restricted by this term and then Save it.


You’ll now have a term you can use to restrict content with. You could certainly add more to suit your restriction needs now or at a later time.


Now you’ll want to create a content type that you are going to restrict access to. Go to Admin Menu > Content types and click the + Add content type button. Drupal being what it is, this could be anything from a type of page to a file. In my case, let’s say it is a type of page that you want to put content on that can only be seen by certain users who are authenticated with your site and members of a specific role group (so not visible to the public). Once you have the details set, click Save and manage fields.


After the content type is created you will be presented with the fields that it will contain. By default there is only a body field. Click the + Add field button to add the field that will activate the access restriction. For this new field you want to ensure that Taxonomy term is selected under Add a new field (this assumes you haven’t already created such a field previously, if you have you can simply select it under Re-use an existing field). You can give the field any label you want, the key part is that the Machine name reads field_secured_areas with that exact spelling. Once you have done this click Save and continue to move on.


You should then be presented with the Field Settings which you should ensure that Type of item to reference is set to Taxonomy term and the Allowed number of values is set to 1 (as of this writing this is all the module supports, though there has been talk about changing it here: Once you have ensured the above, select Save field settings.


You will then be presented with the field details to edit. You can give the field any label you like, again it might be useful to call it something that refers to the fact that it is there to provide the restriction to the content. Ensure that the Reference method is set to Default and that you check the box next to the vocabulary you created that contains the terms with the restrictions you want to use. At this point you can click Save settings or you can optionally add a DEFAULT VALUE first.

Whether you use a default value, or not, is up to you. If you don’t specify one, then any time a new instance of this content type is created, the value will have to be specified. Otherwise, the content will not be restricted. You may want this. You also may want the field to be editable so anyone with edit rights to this content type can change the restrictions (though importantly, even if a user has the Drupal permissions to edit the content type, they will not be able to edit it if the term permissions restrict their access). Conversely, you may want to specify a default value and then hide the field in the content type’s form display so that any time this content type is created or edited, it automatically has the correct restriction without the creator/editor even knowing it is there. You could also specify a default simply so content creators have a guide so that when they create new content they might usually leave the field alone but could change it if they have specific need.


Once the field is created, you will see it in the list of fields for the content type. Ensure that the machine name for the field is field_secured_areas. You could also add any other fields you want to be part of this content type. It is now ready to use. You can also grant create and edit permissions to other users/roles or add it to their shortcuts.


Now, in any content list you can click the + Add Content button, if you have permissions to do so, and you will see it in the list of content type options. Select it to start creating a new piece of content.


If the field is visible in the Manage form display settings for the content type, you will see it in the editor and possibly be able to edit it. The rest of the content creation is the same as any other Drupal content creation.


If the field is visible in the Manage display settings for the content type, you will see it displayed with the rest of the content.


Any user not specified in the term permissions who attempts to access (either viewing or editing) the content will simply get an access denied response.


That’s it! I can’t speak highly enough about how this module saved my site. I feel as though restricting access to content for certain users is common enough to warrant that functionality being part of Drupal’s Core. Some day it probably will. But for now, you can use this module with Drupal 8 to restrict access any way you need to.


I Just Pick The Girl A.K.A. Character Selection Shouldn’t Be an Exercise in Gender Studies

After seeing a lot of what was on offer this year at E3, it is clear that many developers still don’t understand the importance of gender identity to players.

Even though I didn’t know it at the time, I was being presented with evidence of the importance of gender identity in video games as early as 1988. Back then, my sister and I would often play video games together. When Super Mario 2 came out, my sister finally had a chance to choose an avatar that matched her gender with Princess Peach.  Despite the game offering other characters with other abilities to choose from, she always chose the female character. “Because she’s a girl” was generally the entire reason given. This trend continued in games like Super Mario Kart, with her always choosing the female character regardless of that character’s performance in relation to the others.

Later, when I began playing games with my girlfriend (now my wife), I noticed the same thing. We would play games like Baldur’s Gate Dark Alliance and if the game contained a female character for the players to choose from, she always chose that one. I would ask her about it and her response was always “I just pick the girl.” This was the case regardless of the play style involved.

We now know (or should know) that when the gender of a player’s game avatar matches their own it increases their immersion and presence. Avatar/player gender match helps the player focus less on their avatar and more on what they are doing. In short, all things we as developers want to happen.  We also know this goes even further when you get into other things like age, race, and social status. But those can be exponentially more complicated and bring along other issues. So for now, I am going to focus simply on the basic personal identifier of gender.

Now, I am a strong believer that there are games where the player character’s gender can’t or shouldn’t be mutable. Most commonly these would be cases such as Halo or Tomb Raider where the game is about walking a specific character through their story. It’s also the case that alternative choices for gender may be thematically inappropriate such as playing a front-line combat solider during World War II as a woman. I’m not addressing those types of games.

What I’m referring to are games where the identity of the avatar is not specific or functionally relevant. This is more often the case in multiplayer games (and perhaps more relevant due to the social nature of multiplayer) like Battlefield 3 but can also be the case in single-player games like Crysis. In both these cases ,and in countless others, the gender of the player’s character could just as easily be female and could make them that much more appealing and enjoyable by female players. It seems like a no-brainer as these developers and publishers often lament about the need to gain more marketshare, particularly with the female demographic.

Sometimes developers try. There are good examples such as most Bioware products like the Mass Effect and Dragon Age series. Also most MMOs provide the ability for players to choose their character’s gender. Sadly, most developers end up patronizing gender choice by feigning diversity of character selection.

Consider a games like Borderlands. A multi-player cooperative game where players are given a choice from a cast of characters that includes exactly one female. Assuming we want maximum player immersion and connection with their characters (re: enjoyment), this setup is perfect if the group of players contains exactly one female and she likes the play style the female character offers. Great. As my own anecdotal experience (and probably research) shows, the female player will likely pick the female character and maybe just suck up any quibbles with the gameplay.

But what happens when that is not the case? What happens when 2 women are playing? Who gets to play the female character? What about 4 women playing together? What about 4 men? Maybe as a male I don’t identify with the female character as much but that’s my only option because I like the abilities and the play-style that character offers.

There are so many games with this type of setup I couldn’t even come up with an appropriate short list to represent this situation but here are some examples: Diablo series, Left 4 Dead series, and the Trine series. In all of these cases the gender (and indeed the identity) of the characters is irrelevant and could easily be male or female but this choice was omitted. As much as I would love to chock these up as old examples of an industry still trying to figure out the changing demographics of its players, it is clear from E3 2014 that this trend is still going to continue.

In these cases there is no excuse for not offering both a male and female option for the player’s avatar character. Yes, it takes extra time to model/animate. Yes, it takes extra time and money to pay additional voice talent and manage double the voice assets. Yes, it takes extra code to manage the difference between avatars. I don’t care if you are not creative enough to design and budget for it. Handling character customization is a solved problem at this point. Not only is it worth it, but at this point in time the community will let you know that it is no longer acceptable to omit this choice.

The bottom line is this: If you don’t give players the ability to choose their character’s gender, you fail. 

The Promise of Video Games

In the early days of man, the invention of writing brought with it such promise. It gave people the ability to share history, experiences, and ideas with others beyond direct verbal communication and time. It allowed information to be shared directly from the source to others even generations later. Additionally, it gave people the ability to share ideas and stories in a way that allowed the imaginations of a few to be shared,  unfiltered and unedited, with many.

Pictures brought with them a different promise by allowing the artist (and later photographer) to convey an idea or an experience to the viewer without them having to merely imagine it. In modern times we’ve enhanced this process with moving pictures along with the technologies to reproduce sounds. We’ve even dabbled with technologies catering to the other senses. We’ve gotten to the point now where we can present virtually any experience, real or imagined, to a viewer. But this is the limit.

Up until this point, all human media has been able to do is “show and tell” to the person experiencing it. It’s been effective because humans are intelligent, learning creatures with imaginations. We can read a book like Sophie’s Choice and imagine what that kind of experience would be like. We can relate that situation to our own lives and suitably understand the horror of the situation that the author is trying to convey.

But video games (and much interactive media) bring with them a new promise, the promise of the experience. Unlike written fiction or motion pictures that simply present an experience to their audience, video games allow them to actually experience it themselves.

When I first saw Star Wars and watched Luke Skywalker flying his X-Wing fighter and dogfighting with Tie Fighters in space, I thought it was unbelievably cool and my brain buzzed with thoughts about how intense that experience must be. Years later, the first time I played LucasArt’s X-Wing on the computer my mind was again buzzing, but in a different way.

This time I was able to actually experience what it was like to dogfight with Tie Fighters in space. Instead of the Tie Fighters shooting at Luke and creating anxiety for me due to my concern for Luke as the protagonist of the story with whom I sympathized, now they were shooting at me. I had to concern myself with evading enemy fire, balancing and redirecting shield/engine/weapon systems, and trying to take them out before they blew me out of the stars and ended my experience.

If the developers wanted me as their audience to better understand what it was like to fly this imaginary ship from and imaginary universe that George Lucas thought up, I’d say to a certain extent they achieved their goal. I had experienced the mechanics of space combat in the Star Wars universe, but did I really know what that experience was like?

After all, my life wasn’t in actual danger. It wasn’t my real friends and compatriots getting blown to pieces around me. I wasn’t actually killing other people in the name of a cause that I was fighting for because I had felt the oppression first-hand and was so enraged that I needed to fight back.

Some would argue (and I wouldn’t necessarily disagree) that this is what makes it fun. The fact that you can experience the rush  of combat and the experience of warfare without all the heavy and morbid reality. If you take away death and any other real consequence, what is war anyways besides a competition of skill, strategy, and desire to win?

But what if you want players to experience these things? What if you want your audience to really understand oppression or feel real loss? What if you want players to know what it is like to be emotionally invested in a situation so strongly that they feel the difficulty of making a choice like Sophie did? For the first time in history, we are working with a medium where this is possible. But have we been living up to this promise?

Video games have been around for decades now but very few have come close to living up to the real promise of the experience. I feel this due to several factors.

Obviously, some video games are simply an electronic extension of a card or board game not meant to convey an experience beyond the game itself. Many puzzle games fit into this situation.

In other cases, many video games are based on real sports, an experience that is based almost entirely on one’s physical performance. In these cases the closer one comes to trying to simulate these experiences, a la wii sports, the more like playing the actual sport the experience becomes. At this point the need to use a video game to convey this experience becomes rather pointless and the games are more of a crowd/attention experience simulation. However, it should be noted that one’s ability to play other non-sport games such as Starcraft or League of Legends has become its own sport and has managed to unintentionally bring that experience to the players who compete.

To some extent, technical limitations have existed that make it difficult to create an experience believable enough to make the appropriate impression. The most obvious of these situations is visually but also includes things like NPC interaction and meaningful choice.

In most other cases, video games have been built off of an existing intellectual property (movie, TV show, or even novel). In these cases the goal is usually, like with X-Wing, to give you the chance to experience some part of the source material that is indicative of that media. Also like X-Wing, most often these experiences don’t fully live up to the video game promise because the context has already been provided for you. You already know who the “bad” people are and how you are supposed to treat them. The why has been given to you and often you can do very little to deviate from the source outcome.

This is not to say that there haven’t been some good examples of video games delivering on elements of the promise of the experience. WARNING: The following paragraph contains spoilers.

In Half-Life 2 the player is introduced to a world where the people are being oppressed by the Overwatch and the player is made to feel this most pointedly at the beginning when they are ordered to put a can in a trashcan by a masked Overwatch officer who beats the player if they disobey. In Portal, the player is given the opportunity to form an attachment with an inanimate “companion cube” that they must bring with them and use to help solve puzzles. The player is then given a chance to experience more substantial loss when they must destroy the cube in order to proceed. In Mass Effect, after playing with your team of NPC squad mates for the bulk of the game, there comes a point where 2 are in danger and you must choose which one will live and which must die (a virtual Sophie’s Choice).

In all of these examples, the games not only achieved commercial success but remain some of the most well-regarded and “favorite” experiences of those who have played them. While there are many other factors involved and it is sometimes difficult to corroborate strength of experience with enjoyment, I believe this is no accident. I also believe that we, as developers, can do much, much more.

It is true that when making a game we must balance other factors such as entertainment value, difficulty, and fun. We’re trying to sell games right? But is that all we are trying to do? Is it even possible to create experiences that truly convey the emotions of other experiences? Could we legitimately make players fear for their lives? If we could, should we? Could we still sell these types of experiences and would people buy them? These are big questions so I will explore the answers in future writings.

For now I simply hope I have given you something to think about and have properly conveyed what I believe to be the defining characteristic of our medium. It is my belief that the more we realize and embrace this fact, the more it will set us free.

-Chris Riffey

It has begun…

I may be late to the blogging party but that’s mostly because, in the past, I chose to share my thoughts on game design and development with others in person where immediate discussion happens.

However, I am now older and and arguably wiser and have seen the value of game development blogs not only as a sounding board but also as a resource for others in the industry. I feel like there are never enough good resources for our industry and I have strong opinions about how many things are going wrong, as you’ll find out. So I am finally going to start putting my rants to paper and see where they go. If you have feelings about what I say, positive or negative, feel free to comment or contact me about them. This is a new area of time devotion for me so I will try to be as diligent about this as I can.

So here we are. I don’t promise to be entertaining, but I promise to be passionate. Whether you are a fellow game developer or just someone interested in what I have to say, welcome.

– Chris Riffey