This example demonstrates how to use the node access.
This is an example demonstrating how to grant or deny access to nodes using the node access system.
This module will add a 'private' flag for each node, which the node's author can manage. Nodes marked private can only be viewed, edited, or deleted by the author. However, not everything is as private as it seems on the Internet, and so we need to implement some ways to allow other users to manage this 'private' content.
We will use the node grant system to specify which users are allowed to view, edit, or delete 'private' content. We will also allow a user named 'foobar' to have edit privileges on private content as well.
In addition, we will provide a page which will show some minimal instructions and statistics on private nodes on the site.
We use node hooks to put a single marker on a node, called 'private'. The marker is implemented by a database table which has one row per node simply indicating the node is private. If the "private" marker is set, users other than the owner and privileged users are denied access.
Standard permissions are defined which allow users with 'access any private content' or 'edit any private content' to override the 'private' node access restrictions.
A separate access realm grants privileges to each node's author. They can always view, edit, and delete their own private nodes.
The only page provided by this module gives a rundown of how many nodes are marked private, and how many of those are accessible to the current user. This demonstrates the use of the 'node_access' tag in node queries, preventing disclosure of information which should not be shown to users who don't have the proper permissions.
The most relevant functions are:
- node_access_example_permission()
- node_access_example_node_access()
- node_access_example_node_access_records()
- node_access_example_node_grants()
Backdrop's node access system has three layers.
- User 1 and any user with 'bypass node access' permission are automatically granted access.
- hook_node_access() gives each module the opportunity to approve or deny access. Any module that returns NODE_ACCESS_DENY from hook_node_access() will result in denial of access. If no module denies access and one or more modules allow access, then access is granted.
- If no resolution has yet been reached, the node_access table is used along with hook_node_grants(). (Backdrop updates the node_access table when nodes are saved, by calling hook_node_access_records().)
Note that the hook_node_grants()/hook_node_access_records() layer is a first-grant-wins system, which means a module using it can't deny access to a node. Contributed modules have been developed to overcome this shortcoming, with their own APIs, such as ACL. ACL, in fact, has emerged as the more-or-less standard solution for fine-grained access control, and it is used by many modules.
See also
Parent topics
File
- modules/
examples/ node_access_example/ node_access_example.module, line 7 - Hook implementations for the Node Access Example module.
Functions
Constants
Name | Location | Description |
---|---|---|
NODE_ACCESS_EXAMPLE_GRANT_ALL |
modules/ |
This is the constant for our node access grant ID, for the node_access_example_view and node_access_example_edit realms. The ID could be any integer, but we choose 23 because it is this author's favorite number. |
Classes
Name | Location | Description |
---|---|---|
NodeAccessExampleTestCase |
modules/ |
Functional tests for the Node Access Example module. |