function node_query_node_access_alter

Implements hook_query_TAG_alter().

This is the hook_query_alter() for queries tagged with 'node_access'. It adds node access checks for the user account given by the 'account' meta-data (or global $user if not provided), for an operation given by the 'op' meta-data (or 'view' if not provided; other possible values are 'update' and 'delete').

Related topics

Node access rights
The node access system determines who can do what to which nodes.

File

drupal/core/modules/node/node.module, line 3019
The core module that allows content to be submitted to the site.

Code

function node_query_node_access_alter(AlterableInterface $query) {
  global $user;

  // Read meta-data from query, if provided.
  if (!($account = $query
    ->getMetaData('account'))) {
    $account = $user;
  }
  if (!($op = $query
    ->getMetaData('op'))) {
    $op = 'view';
  }

  // If $account can bypass node access, or there are no node access modules,
  // or the operation is 'view' and the $account has a global view grant
  // (such as a view grant for node ID 0), we don't need to alter the query.
  if (user_access('bypass node access', $account)) {
    return;
  }
  if (!count(module_implements('node_grants'))) {
    return;
  }
  if ($op == 'view' && node_access_view_all_nodes($account)) {
    return;
  }
  $tables = $query
    ->getTables();
  $base_table = $query
    ->getMetaData('base_table');

  // If the base table is not given, default to node if present.
  if (!$base_table) {
    foreach ($tables as $table_info) {
      if (!$table_info instanceof SelectInterface) {
        $table = $table_info['table'];

        // If the node table is in the query, it wins immediately.
        if ($table == 'node') {
          $base_table = $table;
          break;
        }
      }
    }

    // Bail out if the base table is missing.
    if (!$base_table) {
      throw new Exception(t('Query tagged for node access but there is no node table, specify the base_table using meta data.'));
    }
  }

  // Find all instances of the base table being joined -- could appear
  // more than once in the query, and could be aliased. Join each one to
  // the node_access table.
  $grants = node_access_grants($op, $account);
  foreach ($tables as $nalias => $tableinfo) {
    $table = $tableinfo['table'];
    if (!$table instanceof SelectInterface && $table == $base_table) {

      // Set the subquery.
      $subquery = db_select('node_access', 'na')
        ->fields('na', array(
        'nid',
      ));
      $grant_conditions = db_or();

      // If any grant exists for the specified user, then user has access
      // to the node for the specified operation.
      foreach ($grants as $realm => $gids) {
        foreach ($gids as $gid) {
          $grant_conditions
            ->condition(db_and()
            ->condition('na.gid', $gid)
            ->condition('na.realm', $realm));
        }
      }

      // Attach conditions to the subquery for nodes.
      if (count($grant_conditions
        ->conditions())) {
        $subquery
          ->condition($grant_conditions);
      }
      $subquery
        ->condition('na.grant_' . $op, 1, '>=');
      $field = 'nid';

      // Now handle entities.
      $subquery
        ->where("{$nalias}.{$field} = na.nid");
      $query
        ->exists($subquery);
    }
  }
}