[development] Getting Around The Limitations of hook_db_rewrite_sql

Jonathan Chaffer jchaffer at structureinteractive.com
Mon Apr 3 14:52:26 UTC 2006

On Apr 3, 2006, at 3:13 AM, Rob Thorne wrote:

> In other words, even if you set up your hook_access to prohibit  
> viewing of your content, Drupal 4.7 *will display your private  
> content to an anonymous user*.  Once your private node gets added  
> to the list, there are no further checks to your hook access to  
> determine if your node is safe to display.

> IMNHO, this is complete insane.

I'm not sure what the best solution to your problem is, but I think I  
can help you to understand the reasons behind this decision. Consider  
a paged listing of nodes. If we are to display the first 10 nodes of  
1000 on a site, we call db_query_range() to fetch just those entries.  
This is fast. Now suppose we use hook_access() to check for access to  
each of those 10. What if none of those pass the access check? Then  
you have a page with no nodes printed, even if the next 10 would have  
passed the check!

So what are the possible solutions? One could fetch all of the  
results rather than a range, and use PHP to iterate through the  
results and call the function on each until 10 are found. I think  
that *now* we are in insane territory. Other than that, the only  
option is to perform the access check within the database call  
itself. This was the decision that was made.

More information about the development mailing list