function hook_node_access

Controls access to a node.

Modules may implement this hook if they want to have a say in whether or not a given user has access to perform a given operation on a node.

The administrative account (user ID #1) always passes any access check, so this hook is not called in that case. Users with the "bypass node access" permission may always view and edit content through the administrative interface.

Note that not all modules will want to influence access on all node types. If your module does not want to actively grant or block access, return NODE_ACCESS_IGNORE or simply return nothing. Blindly returning FALSE will break other node access modules.

Also note that this function isn't called for node listings (e.g., RSS feeds, the default home page at path 'node', a recent content block, etc.) See Node access rights for a full explanation.

Parameters

Drupal\node\Node|string $node: Either a node entity or the machine name of the content type on which to perform the access check.

string $op: The operation to be performed. Possible values:

  • "create"
  • "delete"
  • "update"
  • "view"

object $account: The user object to perform the access check operation on.

object $langcode: The language code to perform the access check operation on.

Return value

string

Related topics

Hooks
Allow modules to interact with the Drupal core.
Node access rights
The node access system determines who can do what to which nodes.
3 functions implement hook_node_access()

Note: this list is generated by pattern matching, so it may include some functions that are not actually implementations of this hook.

node_access_test_node_access in drupal/core/modules/node/tests/modules/node_access_test/node_access_test.module
Implements hook_node_access().
node_node_access in drupal/core/modules/node/node.module
Implements hook_node_access().
translation_node_access in drupal/core/modules/translation/translation.module
Implements hook_node_access().
1 invocation of hook_node_access()
node_access in drupal/core/modules/node/node.module
Access callback: Checks a user's permission for performing a node operation.

File

drupal/core/modules/node/node.api.php, line 618
Hooks provided by the Node module.

Code

function hook_node_access($node, $op, $account, $langcode) {
  $type = is_string($node) ? $node : $node->type;
  $configured_types = node_permissions_get_configured_types();
  if (isset($configured_types[$type])) {
    if ($op == 'create' && user_access('create ' . $type . ' content', $account)) {
      return NODE_ACCESS_ALLOW;
    }
    if ($op == 'update') {
      if (user_access('edit any ' . $type . ' content', $account) || user_access('edit own ' . $type . ' content', $account) && $account->uid == $node->uid) {
        return NODE_ACCESS_ALLOW;
      }
    }
    if ($op == 'delete') {
      if (user_access('delete any ' . $type . ' content', $account) || user_access('delete own ' . $type . ' content', $account) && $account->uid == $node->uid) {
        return NODE_ACCESS_ALLOW;
      }
    }
  }

  // Returning nothing from this function would have the same effect.
  return NODE_ACCESS_IGNORE;
}