Drupal has some interesting ways to control access for content. I was forced to learn about all of them to be able to implement a custom security widget. Once you know how everything fits into each other it is fun to work with, but it took me more effort than I expected. I bumped into many walls. This is why I like to guide you through this proccess. I will talk about all the wrong paths I took to get where I had to be. This way I will cover multiple use cases. If you are a developer and want to know more about security, this could be an interesting session for you. The main topics I will talk about are node_access and node_grants. I also added a custom layer for my project. If you know more about this it could be fun to open a discussion about different implementations.

1. Node access
Jasper Knops

2. whoami
2

3. <strong>
3

4. <3
4

5. 5

6. 6

7. wtf
7

8. 8

9. Why?
9

10. Permissions
10

11. Roles
Permissions
user_access()
11

12. Roles
anonymous
authenticated
custom roles
12

13. Permissions
view content
add block
edit articles
delete users
13

14. function
user_access()
$string, $account
14

15. node_access()
2 basic implementation
grants
15

16. view
create
update
delete
5 operations
list
16

17. node.module
function node_access()
$op, $node, $account
17

18. 1
Check permission
user_access(‘bypass node access’);
user_access(‘access content’);
18

19. 2
6 node.php
hook_access($op, $node,
$account)
7 node.api.php
hook_node_access($node,
$op, $account)
19

20. MODULE_node_access() {
return NODE_ACCESS_DENY;
return NODE_ACCESS_IGNORE;
return NODE_ACCESS_ALLOW;
}
20

21. NODE_node_access() {
case ‘create’:
user_access(‘create TYPE content’);
}
21

22. NODE_node_access() {
case ‘update’:
user_access(‘update any TYPE content’);
user_access(‘update own TYPE content’);
}
22

23. NODE_node_access() {
case ‘delete’:
user_access(’delete any TYPE content’);
user_access(‘delete own TYPE content’);
}
23

24. 3
Check permission
user_access(‘view own unpublished
content’);
24

25. 4
Grants?
table {node_access}
25

26. 5
No grants?
user_access(‘view published content’);
26

27. 6
return FALSE;
27

28. Wat hebben we vandaah heleerd?
28

29. Permissions
user_access
node_access
hook_node_access
grants?
29

30. So, what is that
granting all about?
30

31. {node_access}
31

32. hook_node_access_records()
return {node_access} records
doesn’t care if a node is published or not
32

33. $grants[] = array(
'realm' => 'example_author',
'gid' => $node->uid,
'grant_view' => 1,
'grant_update' => 1,
'grant_delete' => 1,
'priority' => 0,
);
33

34. Deny all
$grants[] = array(
'realm' => 'all',
'gid' => 0,
'grant_view' => 0,
'grant_update' => 0,
'grant_delete' => 0,
'priority' => 1,
);
34

35. hook_node_access_records_alter()
&$grants, $node
35

36. node.module
node_access_acquire_grants()
$node
36

37. hook_node_access_grants()
return $grants;
37

38. $grants[‘example_author’] = array(
$account->uid,
);
38

39. domain.module
$grants[] = array(
'realm' => 'domain_id',
'gid' => $node->domain_id,
'grant_view' => 1,
'grant_update' => 0,
'grant_delete' => 0,
'priority' => 0,
);
39

40. domain.module
$grants[‘domain_id’] = array(
$current_domain->domain_id,
);
40

41. {node_access}
nid gid realm view update delete
1 5 example_author 1 1 1
1 2 domain_id 1 0 0
41

42. Wat hebben we vandaah heleerd?
42

43. define records
save records
return user records
43

44. Where?
44

45. node.module
function node_access()
$op, $node, $account
view
update
delete
45

46. $query->addTag(‘node_access’)
list
46

47. hook_query_TAG_alter(QueryAlt
erableInterface $query)
47

48. hook_query_node_access_alter(
QueryAlterableInterface $query)
48

49. 1
$query->getMetaData(‘account’);
$query->addMetaData(‘account’,
$account);
49

50. 2
$query->getMetaData(‘op’);
$query->addMetaData(‘op’,
‘delete’);
50

51. 3
user_access('bypass node
access');
51

52. 4
Grants?
52

53. 5
node_access_view_all_nodes()
53

54. 6
$query->join(‘node_access’);
54

55. Disables node_access checks
55

56. {node_deny}
56

57. My custom security widget
It ‘s a field
57

58. Per space
Company
allow / deny
58

59. Function
allow / deny
59

60. 60

61. {content_space_index}
61

62. $node->nid = 4;
$node->space_id = 2;
$node->company_allow = 0;
$node->company = ‘Nascom’;
$node->company_allow = 1;
$node->function = ‘Developer’;
62

63. nid gid realm view update delete
4 2 index 1 0 0
63

64. nid gid realm view update delete
4 Nascom 2_company 1 0 0
64

65. nid gid realm view update delete
4 Developer function ?? 0 0
65

66. hook_node_access_records_alter
hook_node_access_records
hook_node_grants
hook_node_access
hook_node_grants_alter
node_query_node_access_alter
hook_node_access_acknowledge
hook_node_access_explain
66

67. http://api.drupal.org/api/drupal/modules%21node
%21node.module/group/node_access/7
http://api.drupal.org/api/drupal/modules%21node
%21node.module/function/node_access/7
http://www.palantir.net/blog/controlling-nodes-drupal-7
67

68. Applause
68

69. Feedback & follow-up:
http://drupalcampgent.be/feedback