Drupalcamp gent - Node access
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Drupalcamp gent - Node access

on

  • 1,882 views

Drupal has some interesting ways to control access for content. I was forced to learn about all of them to be able to implement a custom security widget. Once you know how everything fits into each ...

Drupal has some interesting ways to control access for content. I was forced to learn about all of them to be able to implement a custom security widget. Once you know how everything fits into each other it is fun to work with, but it took me more effort than I expected. I bumped into many walls. This is why I like to guide you through this proccess.

I will talk about all the wrong paths I took to get where I had to be. This way I will cover multiple use cases. If you are a developer and want to know more about security, this could be an interesting session for you.

The main topics I will talk about are node_access and node_grants. I also added a custom layer for my project. If you know more about this it could be fun to open a discussion about different implementations.

Statistics

Views

Total Views
1,882
Views on SlideShare
1,882
Embed Views
0

Actions

Likes
0
Downloads
9
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • mussels\n
  • 3 years drupal developer\n
  • girlfriend\n
  • nascom since 2009\n8 collegues\ndesigners, ux\n
  • netlog\nperformance\nbackoffice\n
  • \n
  • level audience\nbest drupal developer\nhipsters\n
  • why this subject\ncustom security widget\nspaces\n
  • first concept\nuser_access\nroles\npermissions\n
  • \n
  • demo\nex: comments\n
  • defined by modules\nimplemented by modules\ndemo\n
  • fetch permissions\ncheck role current user\nuser 1\n
  • second mechanism, actually two in one\nnode access function in node.module\npermissions\nhooks\ngrants : simple but hard to explain\n
  • access to what??\nview/create/update/delete => node_access\nlist => grants\ncreate: node type\n
  • use node_access() function\nlets go through the flow\n
  • cfr permissions admin page\nuser_access return TRUE for user 1\n
  • 6 - Only implemented by module of content type\n7 - Much much more flexible\nhook_node_access is triggered\n
  • Implement hook_node_access\nargs($node, $op, $account)\nflexible but at runtime -> performance\n3 return values\nFALSE will brake other modules\nex: age check\ncheck custom created permissions\nex: domain\n
  • implementation of hook_node_access of node.module\nchecks permissions\n
  • check permissions\ncheck if node is your own + check permissions\n
  • same as update\n
  • after hook_node_access \nanother permissions\ncheck if content is yours\n
  • Are grants implemented?\nNot only for lists\nTop of the iceberg -> table node_access\n
  • check permission\n
  • \n
  • Permissions\nnode_access\nhook_node_access\ngrants?\n
  • function user_access\nnode_access -> operations\nNODE_hook_node_access\ntable {node_access}\n
  • list operation\nviews\ngrants are records in table node_access\nfunction node_access\n\n
  • Draait rond 1 tabel\n
  • fill table with grants\n
  • node_access_record example\nreturn as array\nrrelm\n3 operations\n\n
  • deny all record\nnot written to database\n\n
  • alter hook\nadjust grants of other modules\n
  • called after save\ncall after custom action\nrecords are fetched and written to db\nReports > Status reports > Rebuild permissions\ndemo\n
  • $account, $op\n
  • array with realms as keys and gids as value\n
  • example domain module\nrecords\nmultiple domain -> multiple records\n
  • example domain module\ngrants\n
  • records written to database\n
  • define records\nreturn records\nsave records\n
  • 3 basic actions\ndefine pottekes and deksels\nwrite combinations\nget user deksel\n\n
  • \n
  • where do we use grants?\nnot for create\nfetch all records and return TRUE if found\n
  • Grants for queries\ndynamic query with tag\n
  • hook to alter queries\n
  • subquery of node_access records\nrewrites query\n
  • get operation\n
  • get operation\n
  • get operation\n
  • get operation\n
  • grant with nid 0\n
  • Get user grants and join with node_access table\n
  • View > Advanced > Other > Query settings\ndemo\n
  • subquery of node_access records\nrewrites query\n
  • \n
  • 2 components\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • subquery of node_access records\nrewrites query\n
  • \n
  • \n
  • \n

Drupalcamp gent - Node access Presentation Transcript

  • 1. Node access Jasper Knops
  • 2. whoami 2
  • 3. <strong> 3
  • 4. <3 4
  • 5. 5
  • 6. 6
  • 7. wtf 7
  • 8. 8
  • 9. Why? 9
  • 10. Permissions 10
  • 11. Roles Permissionsuser_access() 11
  • 12. Roles anonymousauthenticatedcustom roles 12
  • 13. Permissionsview content add blockedit articlesdelete users 13
  • 14. function user_access()$string, $account 14
  • 15. node_access()2 basic implementation grants 15
  • 16. view create update delete5 operations list 16
  • 17. node.modulefunction node_access() $op, $node, $account 17
  • 18. 1Check permissionuser_access(‘bypass node access’);user_access(‘access content’); 18
  • 19. 2 6 node.php hook_access($op, $node, $account) 7 node.api.php hook_node_access($node, $op, $account) 19
  • 20. MODULE_node_access() { return NODE_ACCESS_DENY; return NODE_ACCESS_IGNORE; return NODE_ACCESS_ALLOW;} 20
  • 21. NODE_node_access() { case ‘create’: user_access(‘create TYPE content’);} 21
  • 22. NODE_node_access() { case ‘update’: user_access(‘update any TYPE content’); user_access(‘update own TYPE content’);} 22
  • 23. NODE_node_access() { case ‘delete’: user_access(’delete any TYPE content’); user_access(‘delete own TYPE content’);} 23
  • 24. 3Check permissionuser_access(‘view own unpublishedcontent’); 24
  • 25. 4 Grants? table {node_access} 25
  • 26. 5 No grants?user_access(‘view published content’); 26
  • 27. 6 return FALSE; 27
  • 28. Wat hebben we vandaah heleerd? 28
  • 29. Permissions user_access node_accesshook_node_access grants? 29
  • 30. So, what is thatgranting all about? 30
  • 31. {node_access} 31
  • 32. hook_node_access_records()return {node_access} records doesn’t care if a node is published or not 32
  • 33. $grants[] = array( realm => example_author, gid => $node->uid, grant_view => 1, grant_update => 1, grant_delete => 1, priority => 0,); 33
  • 34. Deny all$grants[] = array( realm => all, gid => 0, grant_view => 0, grant_update => 0, grant_delete => 0, priority => 1,); 34
  • 35. hook_node_access_records_alter() &$grants, $node 35
  • 36. node.modulenode_access_acquire_grants() $node 36
  • 37. hook_node_access_grants() return $grants; 37
  • 38. $grants[‘example_author’] = array( $account->uid,); 38
  • 39. domain.module$grants[] = array( realm => domain_id, gid => $node->domain_id, grant_view => 1, grant_update => 0, grant_delete => 0, priority => 0,); 39
  • 40. domain.module$grants[‘domain_id’] = array( $current_domain->domain_id,); 40
  • 41. {node_access}nid gid realm view update delete 1 5 example_author 1 1 1 1 2 domain_id 1 0 0 41
  • 42. Wat hebben we vandaah heleerd? 42
  • 43. define records save recordsreturn user records 43
  • 44. Where? 44
  • 45. node.modulefunction node_access() $op, $node, $account view update delete 45
  • 46. $query->addTag(‘node_access’) list 46
  • 47. hook_query_TAG_alter(QueryAlt erableInterface $query) 47
  • 48. hook_query_node_access_alter(QueryAlterableInterface $query) 48
  • 49. 1$query->getMetaData(‘account’);$query->addMetaData(‘account’, $account); 49
  • 50. 2 $query->getMetaData(‘op’); $query->addMetaData(‘op’, ‘delete’); 50
  • 51. 3 user_access(bypass node access); 51
  • 52. 4 Grants? 52
  • 53. 5node_access_view_all_nodes() 53
  • 54. 6 $query->join(‘node_access’); 54
  • 55. Disables node_access checks 55
  • 56. {node_deny} 56
  • 57. My custom security widget It ‘s a field 57
  • 58. Per space Companyallow / deny 58
  • 59. Functionallow / deny 59
  • 60. 60
  • 61. {content_space_index} 61
  • 62. $node->nid = 4;$node->space_id = 2;$node->company_allow = 0;$node->company = ‘Nascom’;$node->company_allow = 1;$node->function = ‘Developer’; 62
  • 63. nid gid realm view update delete4 2 index 1 0 0 63
  • 64. nid gid realm view update delete4 Nascom 2_company 1 0 0 64
  • 65. nid gid realm view update delete4 Developer function ?? 0 0 65
  • 66. hook_node_access_records_alter hook_node_access_records hook_node_grants hook_node_access hook_node_grants_alter node_query_node_access_alterhook_node_access_acknowledge hook_node_access_explain 66
  • 67. http://api.drupal.org/api/drupal/modules%21node%21node.module/group/node_access/7http://api.drupal.org/api/drupal/modules%21node%21node.module/function/node_access/7http://www.palantir.net/blog/controlling-nodes-drupal-7 67
  • 68. Applause 68
  • 69. Feedback & follow-up:http://drupalcampgent.be/feedback