[development] Overriding node_db_rewrite_sql()

Ron Parker sysop at scbbs.com
Thu Jul 26 22:40:45 UTC 2007

Many thanks to everyone who responded to my problem. After about the 3rd 
or 4th email mentioning the special case for user #1, I finally realized 
what I needed to do. I also wish to respond to some of the issues 
brought up as a result of this discussion.

The solution

I made the following modification to the first line, and it worked:

if ($primary_field == 'nid' && !node_access_view_all_nodes() && 
!user_access('administer nodes')) {

Overriding node_db_rewrite_sql()

David Cohen wrote:

    i'll go further, and suggest that you should not implement that hook in
    your module either. you want to restrict nodes using the node access
    API, just like og itself. See the example node_access module on

I'm sure you're right.

This particular issue is part of a larger effort I've embarked on to 
make different access control systems work together. See: 

Yes, OG uses the node access API for OG permissions, but what I am 
trying to do is make OG work with TAC and Content Access. Actually, I 
have done this. http://groups.drupal.org/node/3700 But, right now, I 
have to patch core and contributed modules. This effort here is about 
moving the functionality of that patched code into a separate module 

So, in order to not have to patch core code, I have to override the 
default hook_db_rewrite_sql() functions from a separate custom module.

Why not use node access API, just like og itself?

I am very familiar with the node access API from my work on OG User 
Roles: http://drupal.org/node/87679

The way the default system appears to work is to determine whether 
Module A or Module B or Module C says a user can have access to a node.  
In order to make OG User Roles, OG, TAC and CA work together, I need to 
be able to say: Allow the user access if Module A AND (Module B OR 
Module C ) says it's ok.  If someone knows how to accomplish this with 
node grants, and is willing to work with me, I am all ears.

The way I figured out how to do it was by using the "Extensible Node 
Access/Authoriisation Capability" patch: http://drupal.org/node/122173.  
This same mechanism is discussed here: http://drupal.org/node/143075.  
Many of us hope it finds its way into Drupal 6.  Anyway, this patch 
helps me refine node access to my exact specifications.  And, it works.

However, as you know, node_access only handles create/view/update/delete 
requests and NOT list requests.  In order for node listing to match node 
access in my environment, I needed to modify the node_db_rewrite_sql() 
function (as well as the hook_db_rewrite_sql() functions in OG and TAC).

I did that, and I've had this wonderful cooperative environment working 
for a few months now. 

Using user #1 for development testing

Honestly, I think the only reason I do this is because it's what I'm 
used to. I can see and do everything I need to quickly and easily. 
Besides, if I wasn't in this habit, I probably wouldn't have noticed the 
problem with my hook_db_rewrite_sql() code, at least not right away.


Ron Parker
Software Creations               http://www.scbbs.com
Self-Administration Web Site     http://saw.scbbs.com
SDSS Subscription Mgmt Service   http://sdss.scbbs.com
Central Ave Dance Ensemble       http://www.centralavedance.com
R & B Salsa                      http://www.randbsalsa.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20070726/6c2387aa/attachment-0001.htm 

More information about the development mailing list