Properly abstract _node_query_node_access_alter() [#1363062]

Right now, this function has both database logic and business logic wrapped into it. As a result, you cannot call this as an external function in the event that you _want_ to impose access rules on site administrators.

See #1359570: Restrict node views for admins fails on taxonomy pages.

Why would you want to do so? To help users configure their access control rules properly while still acting as a "super-user".

The problem is, this portion of the code prevents this usage:

  // If $account can bypass node access, or there are no node access modules,
  // or the operation is 'view' and the $acount has a global view grant (i.e.,
  // a view grant for node ID 0), we don't need to alter the query.
  if (user_access('bypass node access', $account)) {
    return;
  }
  if (!count(module_implements('node_grants'))) {
    return;
  }
  if ($op == 'view' && node_access_view_all_nodes($account)) {
    return;
  }

This check should be performed by the calling operation, not this function, so that we can eliminate code duplication caused by improper abstraction.

Comment	File	Size	Author
#2	1363062-node_access_check_abstraction.patch	2.99 KB	agentrickard
#1	1363062-node_access_check_abstraction.patch	2.88 KB	agentrickard

Comments

Comment #1

agentrickard

he/him

English

Georgia (US)

commented 12 December 2011 at 20:30

Status:

Active

» Needs review

Status	File	Size
new	1363062-node_access_check_abstraction.patch	2.88 KB

And a patch. Not very glamorous, but all tests pass. The cleanup does a few things:

Moves all the conditional logic to a new function, leaving the actual query_alter to just perform that task.
Cleans up documentation a bit.
Adds proper type hinting.

This does cause an API change, as the result adds two new parameters to the current function, which I think is fine, since the cleanup improves readability and isolates functionality.