Drupalcamp gent - Node access
•Download as KEY, PDF•
0 likes•1,799 views
Drupal has some interesting ways to control access for content. I was forced to learn about all of them to be able to implement a custom security widget. Once you know how everything fits into each other it is fun to work with, but it took me more effort than I expected. I bumped into many walls. This is why I like to guide you through this proccess. I will talk about all the wrong paths I took to get where I had to be. This way I will cover multiple use cases. If you are a developer and want to know more about security, this could be an interesting session for you. The main topics I will talk about are node_access and node_grants. I also added a custom layer for my project. If you know more about this it could be fun to open a discussion about different implementations.
More Related Content
What's hot
What's hot (20)
Similar to Drupalcamp gent - Node access
Similar to Drupalcamp gent - Node access (20)
Recently uploaded
Recently uploaded (20)
Drupalcamp gent - Node access
- 1. Node access Jasper Knops
- 2. whoami 2
- 3. <strong> 3
- 4. <3 4
- 5. 5
- 6. 6
- 7. wtf 7
- 8. 8
- 9. Why? 9
- 10. Permissions 10
- 13. Permissions view content add block edit articles delete users 13
- 15. node_access() 2 basic implementation grants 15
- 16. view create update delete 5 operations list 16
- 17. node.module function node_access() $op, $node, $account 17
- 18. 1 Check permission user_access(‘bypass node access’); user_access(‘access content’); 18
- 19. 2 6 node.php hook_access($op, $node, $account) 7 node.api.php hook_node_access($node, $op, $account) 19
- 20. MODULE_node_access() { return NODE_ACCESS_DENY; return NODE_ACCESS_IGNORE; return NODE_ACCESS_ALLOW; } 20
- 21. NODE_node_access() { case ‘create’: user_access(‘create TYPE content’); } 21
- 22. NODE_node_access() { case ‘update’: user_access(‘update any TYPE content’); user_access(‘update own TYPE content’); } 22
- 23. NODE_node_access() { case ‘delete’: user_access(’delete any TYPE content’); user_access(‘delete own TYPE content’); } 23
- 24. 3 Check permission user_access(‘view own unpublished content’); 24
- 25. 4 Grants? table {node_access} 25
- 26. 5 No grants? user_access(‘view published content’); 26
- 27. 6 return FALSE; 27
- 28. Wat hebben we vandaah heleerd? 28
- 29. Permissions user_access node_access hook_node_access grants? 29
- 30. So, what is that granting all about? 30
- 31. {node_access} 31
- 32. hook_node_access_records() return {node_access} records doesn’t care if a node is published or not 32
- 33. $grants[] = array( 'realm' => 'example_author', 'gid' => $node->uid, 'grant_view' => 1, 'grant_update' => 1, 'grant_delete' => 1, 'priority' => 0, ); 33
- 34. Deny all $grants[] = array( 'realm' => 'all', 'gid' => 0, 'grant_view' => 0, 'grant_update' => 0, 'grant_delete' => 0, 'priority' => 1, ); 34
- 35. hook_node_access_records_alter() &$grants, $node 35
- 36. node.module node_access_acquire_grants() $node 36
- 37. hook_node_access_grants() return $grants; 37
- 38. $grants[‘example_author’] = array( $account->uid, ); 38
- 39. domain.module $grants[] = array( 'realm' => 'domain_id', 'gid' => $node->domain_id, 'grant_view' => 1, 'grant_update' => 0, 'grant_delete' => 0, 'priority' => 0, ); 39
- 40. domain.module $grants[‘domain_id’] = array( $current_domain->domain_id, ); 40
- 41. {node_access} nid gid realm view update delete 1 5 example_author 1 1 1 1 2 domain_id 1 0 0 41
- 42. Wat hebben we vandaah heleerd? 42
- 43. define records save records return user records 43
- 44. Where? 44
- 45. node.module function node_access() $op, $node, $account view update delete 45
- 46. $query->addTag(‘node_access’) list 46
- 47. hook_query_TAG_alter(QueryAlt erableInterface $query) 47
- 49. 1 $query->getMetaData(‘account’); $query->addMetaData(‘account’, $account); 49
- 50. 2 $query->getMetaData(‘op’); $query->addMetaData(‘op’, ‘delete’); 50
- 51. 3 user_access('bypass node access'); 51
- 52. 4 Grants? 52
- 54. 6 $query->join(‘node_access’); 54
- 55. Disables node_access checks 55
- 56. {node_deny} 56
- 57. My custom security widget It ‘s a field 57
- 58. Per space Company allow / deny 58
- 59. Function allow / deny 59
- 60. 60
- 61. {content_space_index} 61
- 62. $node->nid = 4; $node->space_id = 2; $node->company_allow = 0; $node->company = ‘Nascom’; $node->company_allow = 1; $node->function = ‘Developer’; 62
- 63. nid gid realm view update delete 4 2 index 1 0 0 63
- 64. nid gid realm view update delete 4 Nascom 2_company 1 0 0 64
- 65. nid gid realm view update delete 4 Developer function ?? 0 0 65
- 66. hook_node_access_records_alter hook_node_access_records hook_node_grants hook_node_access hook_node_grants_alter node_query_node_access_alter hook_node_access_acknowledge hook_node_access_explain 66
- 68. Applause 68
Editor's Notes
- \n
- mussels\n
- 3 years drupal developer\n
- girlfriend\n
- nascom since 2009\n8 collegues\ndesigners, ux\n
- netlog\nperformance\nbackoffice\n
- \n
- level audience\nbest drupal developer\nhipsters\n
- why this subject\ncustom security widget\nspaces\n
- first concept\nuser_access\nroles\npermissions\n
- \n
- demo\nex: comments\n
- defined by modules\nimplemented by modules\ndemo\n
- fetch permissions\ncheck role current user\nuser 1\n
- second mechanism, actually two in one\nnode access function in node.module\npermissions\nhooks\ngrants : simple but hard to explain\n
- access to what??\nview/create/update/delete => node_access\nlist => grants\ncreate: node type\n
- use node_access() function\nlets go through the flow\n
- cfr permissions admin page\nuser_access return TRUE for user 1\n
- 6 - Only implemented by module of content type\n7 - Much much more flexible\nhook_node_access is triggered\n
- Implement hook_node_access\nargs($node, $op, $account)\nflexible but at runtime -> performance\n3 return values\nFALSE will brake other modules\nex: age check\ncheck custom created permissions\nex: domain\n
- implementation of hook_node_access of node.module\nchecks permissions\n
- check permissions\ncheck if node is your own + check permissions\n
- same as update\n
- after hook_node_access \nanother permissions\ncheck if content is yours\n
- Are grants implemented?\nNot only for lists\nTop of the iceberg -> table node_access\n
- check permission\n
- \n
- Permissions\nnode_access\nhook_node_access\ngrants?\n
- function user_access\nnode_access -> operations\nNODE_hook_node_access\ntable {node_access}\n
- list operation\nviews\ngrants are records in table node_access\nfunction node_access\n\n
- Draait rond 1 tabel\n
- fill table with grants\n
- node_access_record example\nreturn as array\nrrelm\n3 operations\n\n
- deny all record\nnot written to database\n\n
- alter hook\nadjust grants of other modules\n
- called after save\ncall after custom action\nrecords are fetched and written to db\nReports > Status reports > Rebuild permissions\ndemo\n
- $account, $op\n
- array with realms as keys and gids as value\n
- example domain module\nrecords\nmultiple domain -> multiple records\n
- example domain module\ngrants\n
- records written to database\n
- define records\nreturn records\nsave records\n
- 3 basic actions\ndefine pottekes and deksels\nwrite combinations\nget user deksel\n\n
- \n
- where do we use grants?\nnot for create\nfetch all records and return TRUE if found\n
- Grants for queries\ndynamic query with tag\n
- hook to alter queries\n
- subquery of node_access records\nrewrites query\n
- get operation\n
- get operation\n
- get operation\n
- get operation\n
- grant with nid 0\n
- Get user grants and join with node_access table\n
- View > Advanced > Other > Query settings\ndemo\n
- subquery of node_access records\nrewrites query\n
- \n
- 2 components\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- subquery of node_access records\nrewrites query\n
- \n
- \n
- \n