4.6.x node.module node_access($op, $node = NULL, $uid = NULL)
4.7.x node.module node_access($op, $node = NULL, $uid = NULL)
5.x node.module node_access($op, $node = NULL)
6.x node.module node_access($op, $node, $account = NULL)
7.x node.module node_access($op, $node, $account = NULL)

Determine whether the current user may perform the given operation on the specified node.


$op: The operation to be performed on the node. Possible values are:

  • "view"
  • "update"
  • "delete"
  • "create"

$node: The node object (or node array) on which the operation is to be performed, or node type (e.g. 'forum') for "create" operation.

$account: Optional, a user object representing the user for whom the operation is to be performed. Determines access for a user other than the current user.

Return value

TRUE if the operation may be performed, or FALSE otherwise.

Related topics

2 calls to node_access()
_book_outline_access in modules/book/book.module
Menu item access callback - determine if the outline tab is accessible.
_translation_tab_access in modules/translation/translation.module
Menu access callback.
2 string references to 'node_access'
comment_menu in modules/comment/comment.module
Implementation of hook_menu().
node_menu in modules/node/node.module
Implementation of hook_menu().


modules/node/node.module, line 2018
The core that allows content to be submitted to the site. Modules and scripts may programmatically submit nodes using the usual form API pattern.


function node_access($op, $node, $account = NULL) {
  global $user;
  if (!$node || !in_array($op, array(
  ), TRUE)) {

    // If there was no node to check against, or the $op was not one of the
    // supported ones, we return access denied.
    return FALSE;

  // Convert the node to an object if necessary:
  if ($op != 'create') {
    $node = (object) $node;

  // If no user object is supplied, the access check is for the current user.
  if (empty($account)) {
    $account = $user;

  // If the node is in a restricted format, disallow editing.
  if ($op == 'update' && !filter_access($node->format)) {
    return FALSE;
  if (user_access('administer nodes', $account)) {
    return TRUE;
  if (!user_access('access content', $account)) {
    return FALSE;

  // Can't use node_invoke(), because the access hook takes the $op parameter
  // before the $node parameter.
  $module = node_get_types('module', $node);
  if ($module == 'node') {
    $module = 'node_content';

    // Avoid function name collisions.
  $access = module_invoke($module, 'access', $op, $node, $account);
  if (!is_null($access)) {
    return $access;

  // If the module did not override the access rights, use those set in the
  // node_access table.
  if ($op != 'create' && $node->nid && $node->status) {
    $grants = array();
    foreach (node_access_grants($op, $account) as $realm => $gids) {
      foreach ($gids as $gid) {
        $grants[] = "(gid = {$gid} AND realm = '{$realm}')";
    $grants_sql = '';
    if (count($grants)) {
      $grants_sql = 'AND (' . implode(' OR ', $grants) . ')';
    $sql = "SELECT 1 FROM {node_access} WHERE (nid = 0 OR nid = %d) {$grants_sql} AND grant_{$op} >= 1";
    $result = db_query_range($sql, $node->nid, 0, 1);
    return (bool) db_result($result);

  // Let authors view their own nodes.
  if ($op == 'view' && $account->uid == $node->uid && $account->uid != 0) {
    return TRUE;
  return FALSE;