Node access rights
The node access system determines who can do what to which nodes.
In determining access rights for a node, node_access() first checks whether the user has the "bypass node access" permission. Such users have unrestricted access to all nodes. user 1 will always pass this check.
Next, all implementations of hook_node_access() will be called. Each implementation may explicitly allow, explicitly deny, or ignore the access request. If at least one module says to deny the request, it will be rejected. If no modules deny the request and at least one says to allow it, the request will be permitted.
If all modules ignore the access request, then the node_access table is used to determine access. All node access modules are queried using hook_node_grants() to assemble a list of "grant IDs" for the user. This list is compared against the table. If any row contains the node ID in question (or 0, which stands for "all nodes"), one of the grant IDs returned, and a value of TRUE for the operation in question, then access is granted. Note that this table is a list of grants; any matching row is sufficient to grant access to the node.
In node listings, the process above is followed except that hook_node_access() is not called on each node for performance reasons and for proper functioning of the pager system. When adding a node listing to your module, be sure to use a dynamic query created by db_select() and add a tag of "node_access" to ensure that only nodes to which the user has access are retrieved.
Note: Even a single module returning NODE_ACCESS_DENY from hook_node_access() will block access to the node. Therefore, implementers should take care to not deny access unless they really intend to. Unless a module wishes to actively deny access it should return NODE_ACCESS_IGNORE (or simply return nothing) to allow other modules or the node_access table to control access.
To see how to write a node access module of your own, see node_access_example.module.
Functions
| Name | Location | Description |
|---|---|---|
| hook_node_access | modules/node/node.api.php | Control access to a node. |
| hook_node_access_records | modules/node/node.api.php | Set permissions for a node to be written to the database. |
| hook_node_access_records_alter | modules/node/node.api.php | Alter permissions for a node before it is written to the database. |
| hook_node_grants | modules/node/node.api.php | Inform the node access system what permissions the user has. |
| hook_node_grants_alter | modules/node/node.api.php | Alter user access rules when trying to view, edit or delete a node. |
| node_access | modules/node/node.module | Determine whether the current user may perform the given operation on the specified node. |
| node_access_acquire_grants | modules/node/node.module | This function will call module invoke to get a list of grants and then write them to the database. It is called at node save, and should be called by modules whenever something other than a node_save causes the permissions on a node to change. |
| node_access_grants | modules/node/node.module | Fetch an array of permission IDs granted to the given user ID. |
| node_access_needs_rebuild | modules/node/node.module | Flag / unflag the node access grants for rebuilding, or read the current value of the flag. |
| node_access_rebuild | modules/node/node.module | Rebuild the node access database. This is occasionally needed by modules that make system-wide changes to access levels. |
| node_access_view_all_nodes | modules/node/node.module | Determine whether the user has a global viewing grant for all nodes. |
| node_access_write_grants | modules/node/node.module | This function will write a list of grants to the database, deleting any pre-existing grants. If a realm is provided, it will only delete grants from that realm, but it will always delete a grant from the 'all' realm. Modules which utilize... |
| node_list_permissions | modules/node/node.module | Helper function to generate standard node permission list for a given type. |
| node_node_access | modules/node/node.module | Implement hook_node_access(). |
| node_permissions_get_configured_types | modules/node/node.module | Returns an array of node types that should be managed by permissions. |
| node_query_node_access_alter | modules/node/node.module | Implement hook_query_TAG_alter(). |
| _node_access_rebuild_batch_finished | modules/node/node.module | Post-processing for node_access_rebuild_batch. |
| _node_access_rebuild_batch_operation | modules/node/node.module | Batch operation for node_access_rebuild_batch. |