function hook_node_access_records

Same name in other branches
  1. 7.x modules/node/node.api.php \hook_node_access_records()
  2. 9 core/modules/node/node.api.php \hook_node_access_records()
  3. 8.9.x core/modules/node/node.api.php \hook_node_access_records()
  4. 11.x core/modules/node/node.api.php \hook_node_access_records()

Set permissions for a node to be written to the database.

When a node is saved, a module implementing hook_node_access_records() will be asked if it is interested in the access permissions for a node. If it is interested, it must respond with an array of permissions arrays for that node.

Node access grants apply regardless of the published or unpublished status of the node. Implementations must make sure not to grant access to unpublished nodes if they don't want to change the standard access control behavior. Your module may need to create a separate access realm to handle access to unpublished nodes.

Note that the grant values in the return value from your hook must be integers and not boolean TRUE and FALSE.

Each permissions item in the array is an array with the following elements:

  • 'realm': The name of a realm that the module has defined in hook_node_grants().
  • 'gid': A 'grant ID' from hook_node_grants().
  • 'grant_view': If set to 1 a user that has been identified as a member of this gid within this realm can view this node. This should usually be set to $node->isPublished(). Failure to do so may expose unpublished content to some users.
  • 'grant_update': If set to 1 a user that has been identified as a member of this gid within this realm can edit this node.
  • 'grant_delete': If set to 1 a user that has been identified as a member of this gid within this realm can delete this node.
  • langcode: (optional) The language code of a specific translation of the node, if any. Modules may add this key to grant different access to different translations of a node, such that (e.g.) a particular group is granted access to edit the Catalan version of the node, but not the Hungarian version. If no value is provided, the langcode is set automatically from the $node parameter and the node's original language (if specified) is used as a fallback. Only specify multiple grant records with different languages for a node if the site has those languages configured.

A "deny all" grant may be used to deny all access to a particular node or node translation:

$grants[] = [
    'realm' => 'all',
    'gid' => 0,
    'grant_view' => 0,
    'grant_update' => 0,
    'grant_delete' => 0,
    'langcode' => 'ca',
];

Note that another module node access module could override this by granting access to one or more nodes, since grants are additive. To enforce that access is denied in a particular case, use hook_node_access_records_alter(). Also note that a deny all is not written to the database; denies are implicit.

Parameters

\Drupal\node\NodeInterface $node: The node that has just been saved.

Return value

array|null An array of grants as defined above.

See also

hook_node_access_records_alter()

Related topics

4 functions implement hook_node_access_records()

Note: this list is generated by pattern matching, so it may include some functions that are not actually implementations of this hook.

node_access_test_empty_node_access_records in core/modules/node/tests/modules/node_access_test_empty/node_access_test_empty.module
Implements hook_node_access_records().
node_access_test_language_node_access_records in core/modules/node/tests/modules/node_access_test_language/node_access_test_language.module
Implements hook_node_access_records().
node_access_test_node_access_records in core/modules/node/tests/modules/node_access_test/node_access_test.module
Implements hook_node_access_records().
node_test_node_access_records in core/modules/node/tests/modules/node_test/node_test.module
Implements hook_node_access_records().
1 invocation of hook_node_access_records()
NodeAccessControlHandler::acquireGrants in core/modules/node/src/NodeAccessControlHandler.php

File

core/modules/node/node.api.php, line 151

Code

function hook_node_access_records(\Drupal\node\NodeInterface $node) {
    // We only care about the node if it has been marked private. If not, it is
    // treated just like any other node and we completely ignore it.
    if ($node->private->value) {
        $grants = [];
        // Only published Catalan translations of private nodes should be viewable
        // to all users. If we fail to check $node->isPublished(), all users would be able
        // to view an unpublished node.
        if ($node->isPublished()) {
            $grants[] = [
                'realm' => 'example',
                'gid' => 1,
                'grant_view' => 1,
                'grant_update' => 0,
                'grant_delete' => 0,
                'langcode' => 'ca',
            ];
        }
        // For the example_author array, the GID is equivalent to a UID, which
        // means there are many groups of just 1 user.
        // Note that an author can always view nodes they own, even if they have
        // status unpublished.
        if ($node->getOwnerId()) {
            $grants[] = [
                'realm' => 'example_author',
                'gid' => $node->getOwnerId(),
                'grant_view' => 1,
                'grant_update' => 1,
                'grant_delete' => 1,
                'langcode' => 'ca',
            ];
        }
        return $grants;
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.