By tatonca on

I've been trying to understand node access and things are starting to come together however I believe there is something missing - unless I've missed something ;)

It would seem that owners of a node lose access to a node they've created if the owner doesn't have the permission being checked for using node access. Implementing node_access_example for instance wipes out a user's blog for them since they don't have access and they can't change the private flag since they don't have access. I find it ironic that other's could view thier content but not them.

The obvious answer is to enable whatever permission the user is supposed to have to allow them to read private nodes - however I don't believe this is the way it should work.... A user should be able to read their own private nodes, without being able to read other peoples private nodes...

This doesn't seem possible under the current scheme.

It seems that this is because of the way node access works, since the grants seem to be an all or nothing thing.

Essentially unless a node is specifically allowed by having an entry in the node_access table or a user is specifically granted the correct permission for that realm they don't see nodes based on that realm...? Do I understand that correctly?

I was trying to think of way to build a module that would fake this out somehow - like create a node_access table entry each time a user adds a node, say for realm node_owner that would then have a partner hook_node_grant that granted only the actually node owner a permission - but even this seems impossible as the whole thing is wrapped up in a sql that doesn't consider each individual $nid.

Help understanding this would be helpful I think for a majority of users out there. Thanks in advance...

Comments

tatonca’s picture

tatonca commented

Ok - unfortunately node_access_example doesn't make it clear but I started looking at node_privacy_byrole, and it does implement a specific node access entry for the node owner

ADDITIONALLY, code must be executed that essentially does the following when the 
 * module is enabled:
 *
 * for every ($node in node table) {
 *   for every ($role in role table) {
 *     INSERT INTO node_access($node->nid, $role->rid, 'node_privacy_byrole_role', 1, 0, 0);
 *   }
 *   INSERT INTO node_access($node->nid, $node->uid, 'node_privacy_byrole_user', 1, 0, 0);
 * }
 *

What this is doing is adding an access rule for each nodes owner as part of installing the module. Then, whenever someone creates or modifies a new node, the hook_nopeapi that the module implements takes care of adding and deleting this permission from the node_access table.

Then, the hook_node_grant() sends a grant based on the realm of 'node_privacy_byrole_user' and the user id to take care of the access side.

It would be helpful if node_access_example also did this by way of 'example' - if I can get it to work I will post it.