[development] node_access arbitrator in Drupal 5

[Earl Miles]

This actually happened a couple of months ago, but I delayed announcing 
it because it needed a bug fix before it could be used, and that took 
awhile to get through the patching system. The upshot is that since it's 
been in awhile, those in the know (uh, I guess that's me and Moshe) have 
managed to create/update some modules to take advantage of this system.

First, the updating modules link: http://drupal.org/node/64279#node_access

Second, what you need to know:

If your module doesn't touch the node_access table, good for you. You 
probably don't need to do anything.

If your module does touch the node_access module, at least to write to 
it, you're going to be hideously broken. You need to very carefully read 
through the new system.

Basically, the new system calls a function called 
node_access_acquire_grants() whenever a node is saved; your module can 
also call this function (For example, when you change a setting that 
causes access changes for many nodes). This function does calls 
hook_node_access_records with the node, and modules that have an 
interest return a list of access rules, including a 'priority'. Only 
rules with the highest priority are considered, the rest are thrown 
away. If no records are returned for the node at all, a simple 'all' 
grant is written for the node.

For a couple of other examples, see the Forum Access and ACL modules. 
Forum Access does roughly what it sounds like it'll do; ACL provides an 
API to attach access control lists to nodes and maintain them. Forum 
Access uses ACL to provide a 'forum moderators' list that the current 
taxonomy access system can't do.

The biggest benefit to these is that access control modules can 
co-exist, though they still need to be a little bit careful.