The node_access entries for nodes shown on this page table shows realms and gids, but you don't know what they mean.
I'd like to propose adding a column interpreted and a hook_node_access_interpret($realm, $gid, $nid), so that cooperating access control modules can supply the interpretations of their gids. The patch to devel_node_access.module is attached and it should apply for D5 and D6.
This would, for example, allow ACL to implement the following:
/**
* Implementation of hook_node_access_interpret
*/
function acl_node_access_interpret($realm, $gid, $nid) {
if ($realm == 'acl') {
$acl = db_fetch_object(db_query("SELECT * from {acl} WHERE acl_id = %d", $gid));
$return = $acl->module .'/'. $acl->name;
$result = db_query("SELECT u.name FROM {acl_user} au, {users} u WHERE au.acl_id = %d AND au.uid = u.uid", $gid);
while ($user = db_fetch_object($result)) {
$users[] = $user->name;
}
if ($users) {
$return .= ': '. implode(', ', $users);
}
return $return;
}
}
and devel_node_access could show something like
realm: acl
gid: 28
interpreted: forum_access/2: z7a, z7b
Then you'll know with minimal knowledge of Forum Access, that this record is for the users z7a and z7b in forum/2, which is a lot better than just "acl 28".
If my proposal is accepted, I'll implement the hook right away in ACL, Forum Access and Image Gallery Access, of course, and I'll add caching.
Comment | File | Size | Author |
---|---|---|---|
#6 | devel_node_access.explain.D6.patch | 1.35 KB | salvis |
#6 | devel_node_access.explain.D5.patch | 1.31 KB | salvis |
devel_node_access.interpret.patch | 1.33 KB | salvis | |
Comments
Comment #1
moshe weitzman CreditAttribution: moshe weitzman commentedi'd like some feedback on this, especially from dave cohen who (i think) wrote this DNA module.
Comment #2
agentrickardDomain Access does something similar in debug mode, printing plain text strings that explain the access that a particular node has been granted. So I support this idea, though I have not reviewed the code.
Comment #3
Dave Cohen CreditAttribution: Dave Cohen commented+1. I like the idea, and I'm not concerned about the efficiency of the queries for a devel module. Tac_lite could use this to indicate whether a user has permission based on a role vs based on uid.
I think hook_node_access_explain() would be a better name. File that under suggestion, personal opinion.
I did write devel_node_access. I'm happy to review any issues associated with it, but I don't intend to be the sole judge and jury. It belongs to the community!
Comment #4
salvisThanks, Dave!
Yes, I like hook_node_access_explain() better, too. We might even go as far as calling it hook_devel_node_access_explain() to make it completely clear what this is all about. What shall I do?
Comment #5
moshe weitzman CreditAttribution: moshe weitzman commentedlets not put devel in the name. we'll try to get it into core if it proves useful.
i think you should just pass $row to the hook, and not the individual pieces.
Comment #6
salvisOk, here's the result.
Comment #7
moshe weitzman CreditAttribution: moshe weitzman commentedI committed this. Thanks.
THis module needs db_num_rows() removed as per http://drupal.org/node/163191
Comment #8
salvisThanks! Please commit it to the D5 branch, too.
I've ported devel_node_access.module in http://drupal.org/node/210031.
Comment #9
moshe weitzman CreditAttribution: moshe weitzman commentedcommitted to 5. thx.
Comment #10
Anonymous (not verified) CreditAttribution: Anonymous commentedAutomatically closed -- issue fixed for two weeks with no activity.