4.6.x node.php hook_access($op, $node)
4.7.x node.php hook_access($op, $node)
5.x node.php hook_access($op, $node)
6.x node.php hook_access($op, $node, $account)

Define access restrictions.

This hook allows node modules to limit access to the node types they define.


$op: The operation to be performed. Possible values:

  • "create"
  • "delete"
  • "update"
  • "view"

$node: Either a node object or the machine name of the content type on which to perform the access check.

$account: The user object to perform the access check operation on.

Return value

  • TRUE if the operation is to be allowed.
  • FALSE if the operation is to be denied.
  • NULL to not override the settings in the node_access table, or access control modules.

The administrative account (user ID #1) always passes any access check, so this hook is not called in that case. If this hook is not defined for a node type, all access checks will fail, so only the administrator will be able to see content of that type. However, users with the "administer nodes" permission may always view and edit content through the administrative interface.

For a detailed usage example, see node_example.module.

Related topics

17 functions implement hook_access()

Note: this list is generated by pattern matching, so it may include some functions that are not actually implementations of this hook.

blog_access in modules/blog/blog.module
Implementation of hook_access().
blog_page_user_access in modules/blog/blog.module
Access callback for user blog pages.
comment_access in modules/comment/comment.module
This is *not* a hook_access() implementation. This function is called to determine whether the current user has access to a particular comment.
file_download_access in includes/file.inc
Checks that the current user has access to a particular file.
filter_access in modules/filter/filter.module
Returns TRUE if the user is allowed to access this format.

... See full list


developer/hooks/node.php, line 160
These hooks are defined by node modules, modules that define a new kind of node.


function hook_access($op, $node, $account) {
  if ($op == 'create') {
    return user_access('create stories', $account);
  if ($op == 'update' || $op == 'delete') {
    if (user_access('edit own stories', $account) && $account->uid == $node->uid) {
      return TRUE;


Akex’s picture

Anyway, this very useful functionality for your modules is still available in D7. (And I hope it will never sweeped out...)
It was just renamed: use hook_node_access, instead.

You can find a reference for this hook here:
hook_node_access($node, $op, $account)

As you can read in node.module:

 * Next, all implementations of hook_node_access() will be called. Each
 * implementation may explicitly allow, explicitly deny, or ignore the access
 * request. If at least one module says to deny the request, it will be rejected.
 * If no modules deny the request and at least one says to allow it, the request
 * will be permitted.
kiamlaluno’s picture

Differently from hook_access(), hook_node_access() (defined in Drupal 7) can be implemented from a module to alter the access to any node, even for the content types it doesn't define.

oknate’s picture

It should be noted that hook_access is only called if your module declares a node type. If you're using CCK you can't use this hook.

bentekwork’s picture

For D6 (if your module does not declare a node type otherwise you can use hook_access). You can use hook_nodeapi instead. Example below will hide NODETYPE from anonymous users if they attempt to view it.

//Block anon users from viewing NODETYPE
function YOURMODULE_nodeapi (&$node, $op){
	if($node->type == 'NODETYPE' and $op == 'view'){

Alun’s picture

If you use the drupal_access_denied(), you also need to stop the rendering process, otherwise you'll end up with the access denied page, and the page you are trying to deny access to below!

Updated code as such:

//Block anon users from viewing NODETYPE
function YOURMODULE_nodeapi (&$node, $op){
    if($node->type == 'NODETYPE' and $op == 'view'){
Ambidex’s picture

Please note that: The above code is not the same as using hook_access() on your module's custom node types. This code assumes you're trying to block a node type when it's being displayed as a page. When the same node might be added to a concatenated list like a View with other nodes, then the entire page will be blocked because of this one node that is being blocked!