[development] Getting Around The Limitations of hook_db_rewrite_sql
rob at torenware.com
Mon Apr 3 07:13:44 UTC 2006
I'm writing a module for 4.7 that needs to control access to nodes that
are only viewable by users who are approved via an external module. To
determine if a node is viewable, I need to check the user *and* the
node id. This would work, except for a design decision that was made
"for performance". Here's what it says in the docs, in the article
about "Node access rights"
In node listings, the process above is followed except that
is not called on each node for performance reasons and for proper
functioning of the pager system. When adding a node listing to your
module, be sure to use db_rewrite_sql
<http://api.drupal.org/api/HEAD/function/db_rewrite_sql>() to add
the appropriate clauses to your query for access checks.
In other words, even if you set up your hook_access to prohibit viewing
of your content, Drupal 4.7 *will display your private content to an
anonymous user*. Once your private node gets added to the list, there
are no further checks to your hook access to determine if your node is
safe to display. I don't see any way that hook_db_rewrite_sql can be
used for this purpose, since there is no simple relationship between the
current user and whether a node should be viewable, short of doing one
of the following things:
* I could use a IN () clause to list every node id of the given
type that the given user is allowed to see. This may work in my
current situation, but there can easily be *thousands* of these in
some applications. So this is not a general solution.
* I could manipulate the node_access table *on the fly* each time a
user with some access to the content type.
* I could somehow hack the node to hide itself by not
displaying any sensitive content in hook_view, and theming it to
be hidden via CSS.
IMNHO, this is complete insane.
What's the best way to get around this, um, performance enhancement?
It may help improve
More information about the development