Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.In the access control there is a 'load raw node data' permission. No node data at all seems to be able to load unless the user has this permission. Not sure if this a bug or a feature?
It can be overridden in services/services/node_service/node_service.module on line 90 by changing:
return node_access('view', $node) && user_access('load raw node data');
to
return node_access('view', $node) && user_access('access services');
Should not having 'load raw node data' access degrade to giving some basic node data access? Or is it a better idea to create a custom node loading service that only returns desired node fields?
Comments
Comment #1
snelson commentedThis addition was made at the request of the Drupal security team. The thought is that special permissions need to exist if a user is to have access to an entire loaded node. If you have special needs, then I would suggest you create your own method. But what's wrong with just enabling 'load raw node data' for users who need it?