[development] Proposed user_access / $user->roles hook

Ron Parker sysop at scbbs.com
Thu Mar 29 23:39:24 UTC 2007

Steven Jones wrote:

> Actually having properly looked at node_access, indeed you can't do
> what you want without changes to core.
That is, in fact, what I am proposing.  A hook in user_access or even 
$user->roles which would allow a module to add roles, thus permissions, 
to a user in a particular environment -- in my case, within an OG group 

> 'create' operations are somewhat special and the only thing that gets
> to decide if a 'normal' user can create a node is the hook_access
> defined in the node's module (that is the module that allows the
> creation of that sort of node.)

In the case I described, that would be node_access.  With my 
modification, node_access is working properly as well.  The problem is 
that somewhere in this process: node/add/<node type>?gids[]=<group nid>, 
something fails.  The only clue I have is that my debug of user_access 
reveals that the arg(0) context is lost.

> Taxonomy Access controls creates by
> using db_rewrite_sql, but in my mind that is ugly.
Fortunately, the taxonomy access I need is granted by role.  So, if 
user_access / node_access are returning the correct roles, taxonomy 
works correctly automatically.  That has been my experience so far.

> If any developers are still following this thread, would adding a
> invocation of nodeapi or something similar to node_access be
> permissable, as in this case at least, it would be very useful.
FYI, on a totally separate project, I utilized the Extensible Node 
Access/Authorisation Capability patch: http://drupal.org/node/122173 
which does exactly what you ask above: invokes nodeapi for access.  It 
works beautifully for everything EXCEPT lisitng, which requires 
node_db_rewrite_sql().   And,  it does not deal with user_access 
permissions.  So, even if I got it to return the correct permissions for 
a node create, I still have to deal with user_access and $user->roles 
calls elsewhere. 

The OG module itself does 18 calls to user_access.  What I'm saying is 
that if there were a way to have user_access invoke some sort of _access 
hook so that other modules could add permissions (or roles) to the ones 
it already creates, this would solve my problem.

EXCEPT that I still can't figure out why the create isn't working by 
default now.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20070329/d4862e06/attachment.htm 

More information about the development mailing list