I'm trying to figure out (and since this involves both node access and query altering, it's a little complex) if the new drupal_alters added to node_access conflicts with the node_query_node_access_alter function. Let me explain:

Drupal 7 has new drupal_alters so that the way grants are used to restrict access can be modified. See http://api.drupal.org/api/function/hook_node_grants_alter/7 and http://drupal.org/node/224333#node_access_alter_hooks.

So let's say someone writes a hook_node_grants_alter that ANDs grants instead of ORs grants for access. This is all well and good for when node_access is called directly on an individual node (like when viewing or editing a node). But what about when that node is included in a query that is altered by node_query_node_access_alter, such as in a View? If you look at that function (http://api.drupal.org/api/function/node_query_node_access_alter/7), you'll see that that function explicitly ANDs grants, and would ignore anything a hook_node_grants_alter has been written to do.

So the question is: can this be resolved by creating a second hook_node_access_alter in your custom function? Or must we add yet another drupal_alter to node_query_node_access_alter? If it's the former, than this isn't an issue and can be closed (although maybe it can switch to a documentation issue so that this gotcha is made clear in the docs). If it's the latter, than we can start thinking about the best solution. But since I'm still not fully familiar with how multiple query alters work, I wanted to put this out there.

Comments

mcarbone’s picture

Corrections:

"you'll see that that function explicitly *ORs* grants, and would ignore anything a hook_node_grants_alter has been written to do."

"can this be resolved by creating a second hook_node_access_alter in your custom *module*"

moshe weitzman’s picture

The new alter hooks were knowingly put in as helpers only for the single node case, not the n ode listing case. In order to deal with node listing case, you have to use query_alter. Hope that helps.

mcarbone’s picture

Status: Active » Closed (works as designed)

Thanks -- I was unsure if query_alters would do the trick, but I think you're right. Closing.