Node access  Jasper Knops
whoami         2
<strong>           3
<3     4
5
6
wtf      7
8
Why?       9
Permissions              10
Roles Permissionsuser_access()                11
Roles anonymousauthenticatedcustom roles                12
Permissionsview content add blockedit articlesdelete users                13
function user_access()$string, $account                    14
node_access()2 basic implementation        grants                         15
view   create   update   delete5 operations    list               16
node.modulefunction node_access()   $op, $node, $account                          17
1Check permissionuser_access(‘bypass node access’);user_access(‘access content’);                                     18
2    6 node.php    hook_access($op, $node,    $account)    7 node.api.php    hook_node_access($node,    $op, $account)    ...
MODULE_node_access() {    return NODE_ACCESS_DENY;    return NODE_ACCESS_IGNORE;    return NODE_ACCESS_ALLOW;}            ...
NODE_node_access() {    case ‘create’:     user_access(‘create TYPE content’);}                                           21
NODE_node_access() {    case ‘update’:     user_access(‘update any TYPE content’);     user_access(‘update own TYPE conten...
NODE_node_access() {    case ‘delete’:     user_access(’delete any TYPE content’);     user_access(‘delete own TYPE conten...
3Check permissionuser_access(‘view own unpublishedcontent’);                                    24
4       Grants?    table {node_access}                          25
5          No grants?user_access(‘view published content’);                                         26
6    return FALSE;                    27
Wat hebben we vandaah heleerd?                                 28
Permissions   user_access  node_accesshook_node_access     grants?                   29
So, what is thatgranting all about?                      30
{node_access}                31
hook_node_access_records()return {node_access} records  doesn’t care if a node is published or not                        ...
$grants[] = array(     realm => example_author,     gid => $node->uid,     grant_view => 1,     grant_update => 1,     gra...
Deny all$grants[] = array(     realm => all,     gid => 0,     grant_view => 0,     grant_update => 0,     grant_delete =>...
hook_node_access_records_alter()        &$grants, $node                              35
node.modulenode_access_acquire_grants()           $node                               36
hook_node_access_grants()     return $grants;                            37
$grants[‘example_author’] = array(   $account->uid,);                                     38
domain.module$grants[] = array(     realm => domain_id,     gid => $node->domain_id,     grant_view => 1,     grant_update...
domain.module$grants[‘domain_id’] = array(  $current_domain->domain_id,);                                40
{node_access}nid   gid       realm        view   update delete 1    5     example_author    1       1      1 1    2       ...
Wat hebben we vandaah heleerd?                                 42
define records    save recordsreturn user records                      43
Where?         44
node.modulefunction node_access()   $op, $node, $account          view         update         delete                      ...
$query->addTag(‘node_access’)             list                            46
hook_query_TAG_alter(QueryAlt    erableInterface $query)                           47
hook_query_node_access_alter(QueryAlterableInterface $query)                             48
1$query->getMetaData(‘account’);$query->addMetaData(‘account’,          $account);                             49
2    $query->getMetaData(‘op’);    $query->addMetaData(‘op’,            ‘delete’);                                 50
3    user_access(bypass node            access);                               51
4    Grants?              52
5node_access_view_all_nodes()                           53
6    $query->join(‘node_access’);                                   54
Disables node_access checks                          55
{node_deny}              56
My custom security widget       It ‘s a field                            57
Per space Companyallow / deny               58
Functionallow / deny               59
60
{content_space_index}                        61
$node->nid = 4;$node->space_id = 2;$node->company_allow = 0;$node->company = ‘Nascom’;$node->company_allow = 1;$node->func...
nid   gid   realm   view   update   delete4     2     index    1       0        0                                         ...
nid    gid       realm     view   update   delete4     Nascom   2_company    1       0        0                           ...
nid      gid       realm     view   update   delete4     Developer   function    ??      0        0                       ...
hook_node_access_records_alter  hook_node_access_records       hook_node_grants      hook_node_access    hook_node_grants_...
http://api.drupal.org/api/drupal/modules%21node%21node.module/group/node_access/7http://api.drupal.org/api/drupal/modules%...
Applause           68
Feedback & follow-up:http://drupalcampgent.be/feedback
Upcoming SlideShare
Loading in …5
×

Drupalcamp gent - Node access

1,955 views
1,880 views

Published on

Drupal has some interesting ways to control access for content. I was forced to learn about all of them to be able to implement a custom security widget. Once you know how everything fits into each other it is fun to work with, but it took me more effort than I expected. I bumped into many walls. This is why I like to guide you through this proccess.

I will talk about all the wrong paths I took to get where I had to be. This way I will cover multiple use cases. If you are a developer and want to know more about security, this could be an interesting session for you.

The main topics I will talk about are node_access and node_grants. I also added a custom layer for my project. If you know more about this it could be fun to open a discussion about different implementations.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,955
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • mussels\n
  • 3 years drupal developer\n
  • girlfriend\n
  • nascom since 2009\n8 collegues\ndesigners, ux\n
  • netlog\nperformance\nbackoffice\n
  • \n
  • level audience\nbest drupal developer\nhipsters\n
  • why this subject\ncustom security widget\nspaces\n
  • first concept\nuser_access\nroles\npermissions\n
  • \n
  • demo\nex: comments\n
  • defined by modules\nimplemented by modules\ndemo\n
  • fetch permissions\ncheck role current user\nuser 1\n
  • second mechanism, actually two in one\nnode access function in node.module\npermissions\nhooks\ngrants : simple but hard to explain\n
  • access to what??\nview/create/update/delete =&gt; node_access\nlist =&gt; grants\ncreate: node type\n
  • use node_access() function\nlets go through the flow\n
  • cfr permissions admin page\nuser_access return TRUE for user 1\n
  • 6 - Only implemented by module of content type\n7 - Much much more flexible\nhook_node_access is triggered\n
  • Implement hook_node_access\nargs($node, $op, $account)\nflexible but at runtime -&gt; performance\n3 return values\nFALSE will brake other modules\nex: age check\ncheck custom created permissions\nex: domain\n
  • implementation of hook_node_access of node.module\nchecks permissions\n
  • check permissions\ncheck if node is your own + check permissions\n
  • same as update\n
  • after hook_node_access \nanother permissions\ncheck if content is yours\n
  • Are grants implemented?\nNot only for lists\nTop of the iceberg -&gt; table node_access\n
  • check permission\n
  • \n
  • Permissions\nnode_access\nhook_node_access\ngrants?\n
  • function user_access\nnode_access -&gt; operations\nNODE_hook_node_access\ntable {node_access}\n
  • list operation\nviews\ngrants are records in table node_access\nfunction node_access\n\n
  • Draait rond 1 tabel\n
  • fill table with grants\n
  • node_access_record example\nreturn as array\nrrelm\n3 operations\n\n
  • deny all record\nnot written to database\n\n
  • alter hook\nadjust grants of other modules\n
  • called after save\ncall after custom action\nrecords are fetched and written to db\nReports &gt; Status reports &gt; Rebuild permissions\ndemo\n
  • $account, $op\n
  • array with realms as keys and gids as value\n
  • example domain module\nrecords\nmultiple domain -&gt; multiple records\n
  • example domain module\ngrants\n
  • records written to database\n
  • define records\nreturn records\nsave records\n
  • 3 basic actions\ndefine pottekes and deksels\nwrite combinations\nget user deksel\n\n
  • \n
  • where do we use grants?\nnot for create\nfetch all records and return TRUE if found\n
  • Grants for queries\ndynamic query with tag\n
  • hook to alter queries\n
  • subquery of node_access records\nrewrites query\n
  • get operation\n
  • get operation\n
  • get operation\n
  • get operation\n
  • grant with nid 0\n
  • Get user grants and join with node_access table\n
  • View &gt; Advanced &gt; Other &gt; Query settings\ndemo\n
  • subquery of node_access records\nrewrites query\n
  • \n
  • 2 components\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • subquery of node_access records\nrewrites query\n
  • \n
  • \n
  • \n
  • Drupalcamp gent - Node access

    1. 1. Node access Jasper Knops
    2. 2. whoami 2
    3. 3. <strong> 3
    4. 4. <3 4
    5. 5. 5
    6. 6. 6
    7. 7. wtf 7
    8. 8. 8
    9. 9. Why? 9
    10. 10. Permissions 10
    11. 11. Roles Permissionsuser_access() 11
    12. 12. Roles anonymousauthenticatedcustom roles 12
    13. 13. Permissionsview content add blockedit articlesdelete users 13
    14. 14. function user_access()$string, $account 14
    15. 15. node_access()2 basic implementation grants 15
    16. 16. view create update delete5 operations list 16
    17. 17. node.modulefunction node_access() $op, $node, $account 17
    18. 18. 1Check permissionuser_access(‘bypass node access’);user_access(‘access content’); 18
    19. 19. 2 6 node.php hook_access($op, $node, $account) 7 node.api.php hook_node_access($node, $op, $account) 19
    20. 20. MODULE_node_access() { return NODE_ACCESS_DENY; return NODE_ACCESS_IGNORE; return NODE_ACCESS_ALLOW;} 20
    21. 21. NODE_node_access() { case ‘create’: user_access(‘create TYPE content’);} 21
    22. 22. NODE_node_access() { case ‘update’: user_access(‘update any TYPE content’); user_access(‘update own TYPE content’);} 22
    23. 23. NODE_node_access() { case ‘delete’: user_access(’delete any TYPE content’); user_access(‘delete own TYPE content’);} 23
    24. 24. 3Check permissionuser_access(‘view own unpublishedcontent’); 24
    25. 25. 4 Grants? table {node_access} 25
    26. 26. 5 No grants?user_access(‘view published content’); 26
    27. 27. 6 return FALSE; 27
    28. 28. Wat hebben we vandaah heleerd? 28
    29. 29. Permissions user_access node_accesshook_node_access grants? 29
    30. 30. So, what is thatgranting all about? 30
    31. 31. {node_access} 31
    32. 32. hook_node_access_records()return {node_access} records doesn’t care if a node is published or not 32
    33. 33. $grants[] = array( realm => example_author, gid => $node->uid, grant_view => 1, grant_update => 1, grant_delete => 1, priority => 0,); 33
    34. 34. Deny all$grants[] = array( realm => all, gid => 0, grant_view => 0, grant_update => 0, grant_delete => 0, priority => 1,); 34
    35. 35. hook_node_access_records_alter() &$grants, $node 35
    36. 36. node.modulenode_access_acquire_grants() $node 36
    37. 37. hook_node_access_grants() return $grants; 37
    38. 38. $grants[‘example_author’] = array( $account->uid,); 38
    39. 39. domain.module$grants[] = array( realm => domain_id, gid => $node->domain_id, grant_view => 1, grant_update => 0, grant_delete => 0, priority => 0,); 39
    40. 40. domain.module$grants[‘domain_id’] = array( $current_domain->domain_id,); 40
    41. 41. {node_access}nid gid realm view update delete 1 5 example_author 1 1 1 1 2 domain_id 1 0 0 41
    42. 42. Wat hebben we vandaah heleerd? 42
    43. 43. define records save recordsreturn user records 43
    44. 44. Where? 44
    45. 45. node.modulefunction node_access() $op, $node, $account view update delete 45
    46. 46. $query->addTag(‘node_access’) list 46
    47. 47. hook_query_TAG_alter(QueryAlt erableInterface $query) 47
    48. 48. hook_query_node_access_alter(QueryAlterableInterface $query) 48
    49. 49. 1$query->getMetaData(‘account’);$query->addMetaData(‘account’, $account); 49
    50. 50. 2 $query->getMetaData(‘op’); $query->addMetaData(‘op’, ‘delete’); 50
    51. 51. 3 user_access(bypass node access); 51
    52. 52. 4 Grants? 52
    53. 53. 5node_access_view_all_nodes() 53
    54. 54. 6 $query->join(‘node_access’); 54
    55. 55. Disables node_access checks 55
    56. 56. {node_deny} 56
    57. 57. My custom security widget It ‘s a field 57
    58. 58. Per space Companyallow / deny 58
    59. 59. Functionallow / deny 59
    60. 60. 60
    61. 61. {content_space_index} 61
    62. 62. $node->nid = 4;$node->space_id = 2;$node->company_allow = 0;$node->company = ‘Nascom’;$node->company_allow = 1;$node->function = ‘Developer’; 62
    63. 63. nid gid realm view update delete4 2 index 1 0 0 63
    64. 64. nid gid realm view update delete4 Nascom 2_company 1 0 0 64
    65. 65. nid gid realm view update delete4 Developer function ?? 0 0 65
    66. 66. hook_node_access_records_alter hook_node_access_records hook_node_grants hook_node_access hook_node_grants_alter node_query_node_access_alterhook_node_access_acknowledge hook_node_access_explain 66
    67. 67. http://api.drupal.org/api/drupal/modules%21node%21node.module/group/node_access/7http://api.drupal.org/api/drupal/modules%21node%21node.module/function/node_access/7http://www.palantir.net/blog/controlling-nodes-drupal-7 67
    68. 68. Applause 68
    69. 69. Feedback & follow-up:http://drupalcampgent.be/feedback

    ×