1. 8.5.x core/modules/node/node.module node_access
  2. 8.0.x core/modules/node/node.module node_access
  3. 8.1.x core/modules/node/node.module node_access
  4. 8.2.x core/modules/node/node.module node_access
  5. 8.3.x core/modules/node/node.module node_access
  6. 8.4.x core/modules/node/node.module node_access
  7. 8.6.x core/modules/node/node.module node_access
  8. 4.6.x modules/node.module node_access
  9. 4.7.x modules/node.module node_access
  10. 5.x modules/node/node.module node_access
  11. 6.x modules/node/node.module node_access
  12. 7.x modules/node/node.module node_access

The node access system determines who can do what to which nodes.

In determining access rights for a node, node_access() first checks whether the user has the "administer nodes" permission. Such users have unrestricted access to all nodes. Then the node module's hook_access() is called, and a TRUE or FALSE return value will grant or deny access. This allows, for example, the blog module to always grant access to the blog author, and for the book module to always deny editing access to PHP pages.

If node module does not intervene (returns NULL), then the node_access table is used to determine access. All node access modules are queried using hook_node_grants() to assemble a list of "grant IDs" for the user. This list is compared against the table. If any row contains the node ID in question (or 0, which stands for "all nodes"), one of the grant IDs returned, and a value of TRUE for the operation in question, then access is granted. Note that this table is a list of grants; any matching row is sufficient to grant access to the node.

In node listings, the process above is followed except that hook_access() is not called on each node for performance reasons and for proper functioning of the pager system. When adding a node listing to your module, be sure to use db_rewrite_sql() to add the appropriate clauses to your query for access checks.

To see how to write a node access module of your own, see node_access_example.module.


modules/node/node.module, line 1966
The core that allows content to be submitted to the site. Modules and scripts may programmatically submit nodes using the usual form API pattern.


Namesort descending Location Description
hook_access developer/hooks/node.php Define access restrictions.
hook_node_access_records developer/hooks/core.php Set permissions for a node to be written to the database.
hook_node_grants developer/hooks/core.php Inform the node access system what permissions the user has.
node_access modules/node/node.module Determine whether the current user may perform the given operation on the specified node.
node_access_acquire_grants modules/node/node.module Gets the list of node access grants and writes them to the database.
node_access_grants modules/node/node.module Fetch an array of permission IDs granted to the given user ID.
node_access_needs_rebuild modules/node/node.module Flag / unflag the node access grants for rebuilding, or read the current value of the flag.
node_access_rebuild modules/node/node.module Rebuild the node access database. This is occasionally needed by modules that make system-wide changes to access levels.
node_access_view_all_nodes modules/node/node.module Determine whether the user has a global viewing grant for all nodes.
node_access_write_grants modules/node/node.module Writes a list of grants to the database, deleting any previously saved ones.
node_db_rewrite_sql modules/node/node.module Implementation of hook_db_rewrite_sql
_node_access_join_sql modules/node/node.module Generate an SQL join clause for use in fetching a node listing.
_node_access_rebuild_batch_finished modules/node/node.module Post-processing for node_access_rebuild_batch.
_node_access_rebuild_batch_operation modules/node/node.module Batch operation for node_access_rebuild_batch.
_node_access_where_sql modules/node/node.module Generate an SQL where clause for use in fetching a node listing.


danielb’s picture

There are also some Devel hooks which are documented on this API site, that aren't mentioned here.

hook_node_access_explain() - Explain your records in the {node_access} table.
Recommended to developers of node access modules as it helps site admins debug their setups.

hook_node_access_acknowledge() - Acknowledge ownership of 'alien' grant records.
Never used this, but it might be useful for someone.