function node_access in Drupal 7
Same name and namespace in other branches
- 4 modules/node.module \node_access()
- 5 modules/node/node.module \node_access()
- 6 modules/node/node.module \node_access()
Determines whether the current user may perform the operation on the node.
Parameters
$op: The operation to be performed on the node. Possible values are:
- "view"
- "update"
- "delete"
- "create"
$node: The node object on which the operation is to be performed, or node type (e.g. 'forum') for "create" operation.
$account: Optional, a user object representing the user for whom the operation is to be performed. Determines access for a user other than the current user.
Return value
TRUE if the operation may be performed, FALSE otherwise.
Related topics
20 calls to node_access()
- book_block_view in modules/
book/ book.module - Implements hook_block_view().
- book_export in modules/
book/ book.pages.inc - Menu callback; Generates representations of a book page and its children.
- book_node_view_link in modules/
book/ book.module - Adds relevant book links to the node's links.
- comment_file_download_access in modules/
comment/ comment.module - Implements hook_file_download_access().
- forum_menu_local_tasks_alter in modules/
forum/ forum.module - Implements hook_menu_local_tasks_alter().
26 string references to 'node_access'
- book_block_view in modules/
book/ book.module - Implements hook_block_view().
- book_get_books in modules/
book/ book.module - Returns an array of all books.
- comment_admin_overview in modules/
comment/ comment.admin.inc - Form builder for the comment overview administration form.
- comment_get_recent in modules/
comment/ comment.module - Find the most recent comments that are available to the current user.
- comment_menu in modules/
comment/ comment.module - Implements hook_menu().
File
- modules/
node/ node.module, line 2990 - The core that allows content to be submitted to the site. Modules and scripts may programmatically submit nodes using the usual form API pattern.
Code
function node_access($op, $node, $account = NULL) {
$rights =& drupal_static(__FUNCTION__, array());
if (!$node || !in_array($op, array(
'view',
'update',
'delete',
'create',
), TRUE)) {
// If there was no node to check against, or the $op was not one of the
// supported ones, we return access denied.
return FALSE;
}
// If no user object is supplied, the access check is for the current user.
if (empty($account)) {
$account = $GLOBALS['user'];
}
// $node may be either an object or a node type. Since node types cannot be
// an integer, use either nid or type as the static cache id.
$cid = is_object($node) ? $node->nid : $node;
// If we've already checked access for this node, user and op, return from
// cache.
if (isset($rights[$account->uid][$cid][$op])) {
return $rights[$account->uid][$cid][$op];
}
if (user_access('bypass node access', $account)) {
$rights[$account->uid][$cid][$op] = TRUE;
return TRUE;
}
if (!user_access('access content', $account)) {
$rights[$account->uid][$cid][$op] = FALSE;
return FALSE;
}
// We grant access to the node if both of the following conditions are met:
// - No modules say to deny access.
// - At least one module says to grant access.
// If no module specified either allow or deny, we fall back to the
// node_access table.
$access = module_invoke_all('node_access', $node, $op, $account);
if (in_array(NODE_ACCESS_DENY, $access, TRUE)) {
$rights[$account->uid][$cid][$op] = FALSE;
return FALSE;
}
elseif (in_array(NODE_ACCESS_ALLOW, $access, TRUE)) {
$rights[$account->uid][$cid][$op] = TRUE;
return TRUE;
}
// Check if authors can view their own unpublished nodes.
if ($op == 'view' && !$node->status && user_access('view own unpublished content', $account) && $account->uid == $node->uid && $account->uid != 0) {
$rights[$account->uid][$cid][$op] = TRUE;
return TRUE;
}
// If the module did not override the access rights, use those set in the
// node_access table.
if ($op != 'create' && $node->nid) {
if (module_implements('node_grants')) {
$query = db_select('node_access');
$query
->addExpression('1');
$query
->condition('grant_' . $op, 1, '>=');
$nids = db_or()
->condition('nid', $node->nid);
if ($node->status) {
$nids
->condition('nid', 0);
}
$query
->condition($nids);
$query
->range(0, 1);
$grants = node_add_node_grants_to_query(node_access_grants($op, $account));
if (count($grants) > 0) {
$query
->condition($grants);
}
$result = (bool) $query
->execute()
->fetchField();
$rights[$account->uid][$cid][$op] = $result;
return $result;
}
elseif (is_object($node) && $op == 'view' && $node->status) {
// If no modules implement hook_node_grants(), the default behavior is to
// allow all users to view published nodes, so reflect that here.
$rights[$account->uid][$cid][$op] = TRUE;
return TRUE;
}
}
return FALSE;
}