Home » API reference » node.module

node_access

Versions
4.6 – 4.7
node_access($op, $node = NULL, $uid = NULL)
5
node_access($op, $node = NULL)
6 – 7
node_access($op, $node, $account = NULL)

Determine whether the current user may perform the given operation on the specified node.

Parameters

$op The operation to be performed on the node. Possible values are:

  • "view"
  • "update"
  • "delete"
  • "create"

$node The node object on which the operation is to be performed, or node type (e.g. 'forum') for "create" operation.

$account Optional, a user object representing the user for whom the operation is to be performed. Determines access for a user other than the current user.

Return value

TRUE if the operation may be performed, FALSE otherwise.

Related topics

Node access rights
The node access system determines who can do what to which nodes.

▸ 4 functions call node_access()

▾ 4 functions call node_access()

book_node_view_link in modules/book/book.module
Inject links into $node as needed.
_book_outline_access in modules/book/book.module
Menu item access callback - determine if the outline tab is accessible.
_node_add_access in modules/node/node.module
_node_revision_access in modules/node/node.module

Code

modules/node/node.module, line 2393

<?php
function node_access($op, $node, $account = NULL) {
  global $user;

  if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) {
    // If there was no node to check against, or the $op was not one of the
    // supported ones, we return access denied.
    return FALSE;
  }
  // If no user object is supplied, the access check is for the current user.
  if (empty($account)) {
    $account = $user;
  }

  if (user_access('bypass node access', $account)) {
    return TRUE;
  }

  if (!user_access('access content', $account)) {
    return FALSE;
  }

  // We grant access to the node if both of the following conditions are met:
  // - No modules say to deny access.
  // - At least one module says to grant access.
  // If no module specified either allow or deny, we fall back to the
  // node_access table.
  $access = module_invoke_all('node_access', $node, $op, $account);
  if (in_array(NODE_ACCESS_DENY, $access, TRUE)) {
    return FALSE;
  }
  elseif (in_array(NODE_ACCESS_ALLOW, $access, TRUE)) {
    return TRUE;
  }

  // Check if authors can view their own unpublished nodes.
  if ($op == 'view' && !$node->status && user_access('view own unpublished content', $account) && $account->uid == $node->uid && $account->uid != 0) {
    return TRUE;
  }

  // If the module did not override the access rights, use those set in the
  // node_access table.
  if ($op != 'create' && $node->nid) {
    $query = db_select('node_access');
    $query->addExpression('1');
    $query->condition('grant_' . $op, 1, '>=');
    $nids = db_or()->condition('nid', $node->nid);
    if ($node->status) {
      $nids->condition('nid', 0);
    }
    $query->condition($nids);
    $query->range(0, 1);

    $grants = db_or();
    foreach (node_access_grants($op, $account) as $realm => $gids) {
      foreach ($gids as $gid) {
        $grants->condition(db_and()
          ->condition('gid', $gid)
          ->condition('realm', $realm)
        );
      }
    }
    if (count($grants) > 0) {
      $query->condition($grants);
    }
    return (bool) $query
      ->execute()
      ->fetchField();
  }

  return FALSE;
}
?>
Login or register to post comments
 
 

All source code and documentation on this site is released under the terms of the GNU General Public License, version 2 and later. Drupal is a registered trademark of Dries Buytaert.