in node_access_example_perm():

- * has just one group id (1) and the user is either a member or not depending
+ * has just one grant id (1) and the user is either a member or not depending

Also, the grant "TRUE" is really just a static grant identified by "1". It would be far better to show two grants in a realm. Static grants like this just have to match up.

Finally, the idea of a realm needs to be explained better.

Comments

mile23’s picture

Status: Active » Needs review
StatusFileSize
new5.67 KB

I thought to myself: This is a good opportunity to learn more about the node access API stuff. And so here's a patch.

Please, someone with more node_access insight please double check the content. :-)

rfay’s picture

Almost made it to this the other night, but not quite. Thanks, though! Watch out or you'll end up a comaintainer. Interested?

ilo’s picture

Status: Needs review » Needs work

This patch 'deviates' the D6 code of the module from the D7 branch. I'd suggest to change function order and array attributes to stick as much as possible as their D7 versions to make module maintaining easy. i.e. in D7 we do have $grants['node_access_example_..'] where .. are any of the following: 'author', 'view' or 'edit', and the patch introduces $grants['example_private_realm'] for view and edit operations, and a $grants['example_author_realm'] for authors.

To make this go in, I'd first make these changes in the D7 branch also and then continue with this issue. Mile23, Randy, what do you preffer?

ilo’s picture

I'm in doubt, is this really a but report or a task?

rfay’s picture

Category: bug » task
Status: Needs work » Needs review

Changing to task.

@ilo, your point is good. @Mile23, it's your call whether you want to do some work here and then do it in D7, or start in D7. But it is better in general to keep things looking the same.

mile23’s picture

Assigned: Unassigned » mile23

Yah, good point. I'll muck about with it and do a couple patches.

ilo’s picture

Great Mile23, thanks so much for taking this one :)

mile23’s picture

OK: The D6 version lacks a test, so I can't say I didn't introduce any bugs. I changed some names to match the D7 version. Also, same for the D7 version, because even though it has a test, I don't have a D7 install at hand.

Status: Needs review » Needs work

The last submitted patch, d7_nodeacc_example_947334.patch, failed testing.

ilo’s picture

Version: 6.x-1.x-dev »
Status: Needs work » Needs review
StatusFileSize
new15.75 KB

Ok, the D7 patch does not touch a line of code, and it is only changing comments. Very complete, I'd say. I've fixed the only issue I've seen no the patch: comments exceding 80 chars.

I do have one concern.. the module currently says:

* Note that current best practice is probably to interoperate with the
* @link http://drupal.org/project/acl ACL module @endlink rather than directly
* implementing node access.

Really is that a 'best practice' or just a good? really this should be in a module comment deep into the file and not in the header section?

The D7 passess all the tests locally, verified. Lets see if the testbot thinks the same. I'm moving the changes to D7 first so we can go back for D6 later.

ilo’s picture

I forgot to mention, very great work Mile23. I hope you finally get this issue fixed at all! :)

mile23’s picture

Regarding the ACL module stuff... I really don't know whether it's best practice or just good. I think it might be a holdover from D6, which doesn't have a hook_node_access() and therefore can't deny access, only grant it. However, ACL has a D7 version in the pipeline. None of the linked documentation is clear on why you'd want to avoid node access in favor of another module. But it was in the D7 @file block before, so I kept it in order to have exactly this discussion.

ilo’s picture

Lets wait for rfay's point on it, also he introduced it in the patch at http://drupal.org/node/768054#comment-3057126. I'm pretty sure that he will have a whole rationale for that.

About the D7 patch, IMO it is ok to go, could someone else make an additional review?

rfay’s picture

I do want to take a look at this and haven't yet.

As far as ACL module, the general problem of "first to grant wins" remains in D7. So if there are two modules and they both have different ideas about how to do the grants, chaos results. ACL module tends to mitigate this.

I would love it if agentrickard were involved here. Finding him in IRC would be the authoritative way to answer this.

rfay’s picture

Status: Needs review » Needs work

Well, this is absolutely fantastic work, and much appreciated.

Minor changes below, but the one thing that really bothers me is the grant id '1'. I know it has to be an int (for no good reason, probably) but I'd like to use an int that is not as magical as 1.

What do you think about
define('NODE_ACCESS_EXAMPLE_GRANT_ALL', 4);

or something like that? Anyway, we just want to make clear that this is a unique integer that we are just using as an identifier.

+++ node_access_example/node_access_example.module	27 Dec 2010 11:20:12 -0000
@@ -48,16 +71,11 @@
+ * clearing house for granting access. The problem with node acces is that it is

Typo 'acces'

+++ node_access_example/node_access_example.module	27 Dec 2010 11:20:12 -0000
@@ -65,7 +83,10 @@
+ *
+ * This path provides a page, with some instructions for the user, and some
+ * statistics about node access changes implemented by this module.

These new comments are unnecessary with this particular hook. I'm all in favor of comments, but if they don't know about hook_menu() at this point they need to read about it.

+++ node_access_example/node_access_example.module	27 Dec 2010 11:20:12 -0000
@@ -163,8 +188,11 @@
- *  Allows view and edit access to private nodes where the account requesting
- *  access has the username 'foobar'.
+ * Allows view and edit access to private nodes, when the account requesting
+ * access has the username 'foobar'.

The original comment is probably better English usage.

+++ node_access_example/node_access_example.module	27 Dec 2010 11:20:12 -0000
@@ -182,23 +210,37 @@
+ * Here we are determining if the user belongs to any of two main categories of
+ * realms:

"Here we are determining whether the user belongs to one of two main categories of realms"

Powered by Dreditor.

ilo’s picture

Mile23, will you do the honor patch working on these last issues? I totally agree that instead of a '1', we can use a constant, but the document must explain that WE are defining them, they are not provided by Drupal.. or.. do they?

mile23’s picture

Status: Needs work » Needs review
StatusFileSize
new16.61 KB
new11.9 KB

rfay: Going down the list here... :-)

Defining a node grant constant is a good idea, probably a best practice. I think the important point to get across is that grant IDs are arbitrary and can be set up however you want. In fact, if I were coding this for a real project, I'd define one realm and use different grant IDs for view vs. edit access. But that's just me.

Will kill the typo.

If someone needs to read about hook_menu(), then here's some text for them to read. :-) Seriously, though, that page shows us how to run some SQL while taking account of the access system. The comment tells us that this is the menu definition for the page that demonstrates this. It's easy enough to tell our newbie audience that this is scaffolding for the real demonstration.

'When' is better English, because it's accurate. When the conditions are met, it does the thing.

Same with the last one: We're making a list of all of the user's realms and grants based on operation. Any grants could be included, and in fact the authorship one is always included in the example code. But I decided to change that all around anyway, having re-read it.

Still wondering about the ACL module stuff... But really all the concerns raised are addressed by hook_node_access(). In fact, if I were going to write a D7 node access module, I'd toss out the carryovers from D6, and base it solely on hook_node_access(). I assume hook_node_grants/records() still exist in D7 because they're based in the database, and an upgrade path to to hook_node_access() can only be coded by the module author. I'll take the ACL module reference out of the D7 example, and someone can put it back if they please.

ilo’s picture

About the ACL stuf, I'd simply change 'Best practice' with a 'good or common' practice notice. Probably a person reading the node_acces example code is wondering how does it work, otherwise they would be reading the ACL's module code. However, you already exposed the reason: first grant wins, so probably a line stating something like 'Anything that you can do here, you will find done in ACL module, so if you just can't use ACL module then keep reading'.

rfay’s picture

Just FYI - to make a patch be ignored by the testbot, postfix it with _d6, like d6_examples_nodeacc_again_d6.patch.

+1 to ilo's approach on ACL module.

mile23’s picture

What say ye?

ilo’s picture

Mile23, comment lines exceeding 80 chars again :)

Appart of this, I enjoyed the detail of choosing 23

mile23’s picture

StatusFileSize
new18.41 KB
new12.91 KB

Someone should make a tool to format doxygen comments.

mile23’s picture

Based on the non-commit of this patch, I'll leave node_access_example out of #767204: API.drupal.org: Rework Doxygen comments so people can navigate the comments.

rfay’s picture

Sorry, I've just been slammed and trying to keep up with a few things.

mile23’s picture

No worries. :-)

dave reid’s picture

Version: » 7.x-1.x-dev
rfay’s picture

Shoot, got lost in time.
Here's the D7 version from #22 as a testable patch.

Status: Needs review » Needs work

The last submitted patch, examples.d7_node_access_example_comments.patch, failed testing.

rfay’s picture

Status: Needs work » Needs review
StatusFileSize
new18.42 KB

And wow, I've been behind so long that this is a -p0 patch. #22 rerolled here as a git patch. This looks like some pretty serious improvements!

rfay’s picture

Here's #29 again with minor changes - removing trailing spaces.

Mostly, I wanted to change "new in Drupal 7" type verbiage to "was introduced in Drupal 7" so it's not already out of date as we commit it to the D8 version.

I'd say this is good to go, if there are no objections.

rfay’s picture

Status: Needs review » Fixed

OK, I didn't hear objections.

Committed to D7: 80041a7
D8: 15bb86c

Thanks so very much. Hope you'll come back and play again Mile23 :-) Your contributions are much appreciated.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

mile23’s picture

Version: 7.x-1.x-dev » 6.x-1.x-dev
Status: Closed (fixed) » Patch (to be ported)
mile23’s picture

Status: Patch (to be ported) » Fixed

Backported D7 docblock comments to D6, with minor changes to reflect differences in code functioning. (D6 doesn't have view vs. edit distinction, for instance.) Changed the grant names from 'example' and 'example_author' to 'node_access_example' and 'node_access_example_author'.

And committed: http://drupalcode.org/project/examples.git/commitdiff/29aa395423795ab2ce...

Yell and scream if this is the wrong way to go. :-)

rfay’s picture

@Mile23++

Note that D7 made significant changes to the node access system.

mile23’s picture

Well if I explained it incorrectly, give a shout and I can fix it.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.