On Apr 3, 2006, at 3:13 AM, Rob Thorne wrote:
In other words, even if you set up your hook_access to prohibit viewing of your content, Drupal 4.7 *will display your private content to an anonymous user*. Once your private node gets added to the list, there are no further checks to your hook access to determine if your node is safe to display.
IMNHO, this is complete insane.
I'm not sure what the best solution to your problem is, but I think I can help you to understand the reasons behind this decision. Consider a paged listing of nodes. If we are to display the first 10 nodes of 1000 on a site, we call db_query_range() to fetch just those entries. This is fast. Now suppose we use hook_access() to check for access to each of those 10. What if none of those pass the access check? Then you have a page with no nodes printed, even if the next 10 would have passed the check! So what are the possible solutions? One could fetch all of the results rather than a range, and use PHP to iterate through the results and call the function on each until 10 are found. I think that *now* we are in insane territory. Other than that, the only option is to perform the access check within the database call itself. This was the decision that was made.