Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough

Programmatically Restricting Access to Drupal Content

Parent Feed: 

Have a requirement like “I want users to not be able to add, update, delete or view content if some condition is true?” If so, hook_node_access might be all you need. This hook simply allows you to alter access to a node. Now let’s learn how to use it.

How this hook works

Anytime a user accesses a node (to add, update, delete or view it) this hook is called and can be used to alter that access decision. It receives three parameters.

  • $node – Contains information about the node being accessed (or base information, if it is being created)
  • $op – What type of access it is (create, update, delete, view)
  • $account – Information about the user accessing the node

It expects a return value to alter the access, which is; NODE_ACCESS_DENY, NODE_ACCESS_IGNORE or NODE_ACCESS_ALLOW. Best practice is to not use allow and use either deny or ignore (ignore is the default, if no return is given). You get far less permissions headaches this way.

I use this module often for customized workflow requirements. The most recent use case was “I want to deny update access to all users who try to update a node based on a user select field on the node selecting them or not.”

This is all done with one simple hook in a custom module (see below).

NOTE: There are some instances this hook is not called/skipped. Refer to the hook’s link for those cases.

/**
 * Implements hook_node_access().
 *
 * Enforces our access rules for custom workflow target content to force updates
 * only if the user is targeted in the user select field
 */
 function mymodule_node_access($node, $op, $account) {
   // If a node is being updated
   if ($op == 'update') {
     // If the user select field exists on this node
     if (isset($node->field_my_user_select)) {
       // If the user select field is not empty
       if (!empty($node->field_my_user_select)) {
         // If the user id in the user select field does not match the current user
         if ($node->field_my_user_select[LANGUAGE_NONE][0]['target_id'] !=
           $account->uid) {
           // The users are not the same. Deny access to update in this case
           return NODE_ACCESS_DENY;
         }
       }
     }
   }
   // Else ignore altering access
   return NODE_ACCESS_IGNORE;
}

Previous Post

Content Strategy Resource Roundup

Next Post

Join Us at Drupal GovCon July 22-24!

Original Post: 

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web