Implements hook_query_TAG_alter().
This is the hook_query_alter() for queries tagged with 'node_access'. It adds node access checks for the user account given by the 'account' meta-data (or global $user if not provided), for an operation given by the 'op' meta-data (or 'view' if not provided; other possible values are 'update' and 'delete').
Queries tagged with 'node_access' that are not against the {node} table must add the base table as metadata. For example:
$query
->addTag('node_access')
->addMetaData('base_table', 'taxonomy_index');
function node_query_node_access_alter(AlterableInterface $query) {
global $user;
// Read meta-data from query, if provided.
if (!($account = $query
->getMetaData('account'))) {
$account = $user;
}
if (!($op = $query
->getMetaData('op'))) {
$op = 'view';
}
if (!($langcode = $query
->getMetaData('langcode'))) {
$langcode = FALSE;
}
// If $account can bypass node access, or there are no node access modules,
// or the operation is 'view' and the $account has a global view grant
// (such as a view grant for node ID 0), we don't need to alter the query.
if (user_access('bypass node access', $account)) {
return;
}
if (!count(module_implements('node_grants'))) {
return;
}
if ($op == 'view' && node_access_view_all_nodes($account)) {
return;
}
$tables = $query
->getTables();
$base_table = $query
->getMetaData('base_table');
// If the base table is not given, default to node if present.
if (!$base_table) {
foreach ($tables as $table_info) {
if (!$table_info instanceof SelectInterface) {
$table = $table_info['table'];
// If the node table is in the query, it wins immediately.
if ($table == 'node' || $table == 'node_field_data') {
$base_table = $table;
break;
}
}
}
// Bail out if the base table is missing.
if (!$base_table) {
throw new Exception(t('Query tagged for node access but there is no node table, specify the base_table using meta data.'));
}
}
// Find all instances of the base table being joined -- could appear
// more than once in the query, and could be aliased. Join each one to
// the node_access table.
$grants = node_access_grants($op, $account);
$base_table_found = FALSE;
foreach ($tables as $nalias => $tableinfo) {
$table = $tableinfo['table'];
if (!$table instanceof SelectInterface && $table == $base_table) {
$base_table_found = TRUE;
// Set the subquery.
$subquery = db_select('node_access', 'na')
->fields('na', array(
'nid',
));
$grant_conditions = db_or();
// If any grant exists for the specified user, then user has access to the
// node for the specified operation.
foreach ($grants as $realm => $gids) {
foreach ($gids as $gid) {
$grant_conditions
->condition(db_and()
->condition('na.gid', $gid)
->condition('na.realm', $realm));
}
}
// Attach conditions to the subquery for nodes.
if (count($grant_conditions
->conditions())) {
$subquery
->condition($grant_conditions);
}
$subquery
->condition('na.grant_' . $op, 1, '>=');
// Add langcode-based filtering if this is a multilingual site.
if (language_multilingual()) {
// If no specific langcode to check for is given, use the grant entry
// which is set as a fallback.
// If a specific langcode is given, use the grant entry for it.
if ($langcode === FALSE) {
$subquery
->condition('na.fallback', 1, '=');
}
else {
$subquery
->condition('na.langcode', $langcode, '=');
}
}
$field = 'nid';
// Now handle entities.
$subquery
->where("{$nalias}.{$field} = na.nid");
$query
->exists($subquery);
}
}
// If we reached this point and did not find the defined base table, throw
// an exception.
if (!$base_table_found) {
throw new Exception(t('Query tagged for node access but the defined base_table @base_table was not found', array(
'@base_table' => $base_table,
)));
}
}