The node_access entries for nodes shown on this page table shows realms and gids, but you don't know what they mean.

I'd like to propose adding a column interpreted and a hook_node_access_interpret($realm, $gid, $nid), so that cooperating access control modules can supply the interpretations of their gids. The patch to devel_node_access.module is attached and it should apply for D5 and D6.

This would, for example, allow ACL to implement the following:

/**
 * Implementation of hook_node_access_interpret
 */
function acl_node_access_interpret($realm, $gid, $nid) {
  if ($realm == 'acl') {
    $acl = db_fetch_object(db_query("SELECT * from {acl} WHERE acl_id = %d", $gid));
    $return = $acl->module .'/'. $acl->name;
    $result = db_query("SELECT u.name FROM {acl_user} au, {users} u WHERE au.acl_id = %d AND au.uid = u.uid", $gid);
    while ($user = db_fetch_object($result)) {
      $users[] = $user->name;
    }
    if ($users) {
      $return .= ': '. implode(', ', $users);
    }
    return $return;
  }
}

and devel_node_access could show something like

realm: acl
gid: 28
interpreted: forum_access/2: z7a, z7b

Then you'll know with minimal knowledge of Forum Access, that this record is for the users z7a and z7b in forum/2, which is a lot better than just "acl 28".

If my proposal is accepted, I'll implement the hook right away in ACL, Forum Access and Image Gallery Access, of course, and I'll add caching.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

moshe weitzman’s picture

i'd like some feedback on this, especially from dave cohen who (i think) wrote this DNA module.

agentrickard’s picture

Domain Access does something similar in debug mode, printing plain text strings that explain the access that a particular node has been granted. So I support this idea, though I have not reviewed the code.

Dave Cohen’s picture

Status: Needs review » Reviewed & tested by the community

+1. I like the idea, and I'm not concerned about the efficiency of the queries for a devel module. Tac_lite could use this to indicate whether a user has permission based on a role vs based on uid.

I think hook_node_access_explain() would be a better name. File that under suggestion, personal opinion.

I did write devel_node_access. I'm happy to review any issues associated with it, but I don't intend to be the sole judge and jury. It belongs to the community!

salvis’s picture

Thanks, Dave!

Yes, I like hook_node_access_explain() better, too. We might even go as far as calling it hook_devel_node_access_explain() to make it completely clear what this is all about. What shall I do?

moshe weitzman’s picture

lets not put devel in the name. we'll try to get it into core if it proves useful.

i think you should just pass $row to the hook, and not the individual pieces.

salvis’s picture

Status: Reviewed & tested by the community » Needs review
FileSize
1.31 KB
1.35 KB

Ok, here's the result.

moshe weitzman’s picture

Status: Needs review » Fixed

I committed this. Thanks.

THis module needs db_num_rows() removed as per http://drupal.org/node/163191

salvis’s picture

Version: 7.x-1.x-dev » 5.x-1.x-dev
Status: Fixed » Reviewed & tested by the community

Thanks! Please commit it to the D5 branch, too.

I've ported devel_node_access.module in http://drupal.org/node/210031.

moshe weitzman’s picture

Status: Reviewed & tested by the community » Fixed

committed to 5. thx.

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.