function node_access

7.x node.module node_access($op, $node, $account = NULL)
6.x node.module node_access($op, $node, $account = NULL)

Determine whether the current user may perform the given operation on the specified node.

Parameters

$op: The operation to be performed on the node. Possible values are:

  • "view"
  • "update"
  • "delete"
  • "create"

$node: The node object (or node array) on which the operation is to be performed, or node type (e.g. 'forum') for "create" operation.

$account: Optional, a user object representing the user for whom the operation is to be performed. Determines access for a user other than the current user.

Return value

TRUE if the operation may be performed, or FALSE otherwise.

Related topics

Node access rights
The node access system determines who can do what to which nodes.
19 calls to node_access()
blogapi_blogger_edit_post in drupal-6.x/modules/blogapi/blogapi.module
Blogging API callback. Modifies the specified blog node.
blogapi_blogger_new_post in drupal-6.x/modules/blogapi/blogapi.module
Blogging API callback. Inserts a new blog post as a node.
blogapi_mt_publish_post in drupal-6.x/modules/blogapi/blogapi.module
Blogging API callback. Publishes the given node
book_export in drupal-6.x/modules/book/book.pages.inc
Menu callback; Generates various representation of a book page and its children.
book_link in drupal-6.x/modules/book/book.module
Implementation of hook_link().

... See full list

3 string references to 'node_access'
comment_menu in drupal-6.x/modules/comment/comment.module
Implementation of hook_menu().
node_menu in drupal-6.x/modules/node/node.module
Implementation of hook_menu().
node_schema in drupal-6.x/modules/node/node.install
Implementation of hook_schema().

File

drupal-6.x/modules/node/node.module, line 2018
The core that allows content to be submitted to the site. Modules and scripts may programmatically submit nodes using the usual form API pattern.

Code

function node_access($op, $node, $account = NULL) {
  global $user;

  if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) {
    // If there was no node to check against, or the $op was not one of the
    // supported ones, we return access denied.
    return FALSE;
  }
  // Convert the node to an object if necessary:
  if ($op != 'create') {
    $node = (object) $node;
  }
  // If no user object is supplied, the access check is for the current user.
  if (empty($account)) {
    $account = $user;
  }
  // If the node is in a restricted format, disallow editing.
  if ($op == 'update' && !filter_access($node->format)) {
    return FALSE;
  }

  if (user_access('administer nodes', $account)) {
    return TRUE;
  }

  if (!user_access('access content', $account)) {
    return FALSE;
  }

  // Can't use node_invoke(), because the access hook takes the $op parameter
  // before the $node parameter.
  $module = node_get_types('module', $node);
  if ($module == 'node') {
    $module = 'node_content'; // Avoid function name collisions.
  }
  $access = module_invoke($module, 'access', $op, $node, $account);
  if (!is_null($access)) {
    return $access;
  }

  // If the module did not override the access rights, use those set in the
  // node_access table.
  if ($op != 'create' && $node->nid && $node->status) {
    $grants = array();
    foreach (node_access_grants($op, $account) as $realm => $gids) {
      foreach ($gids as $gid) {
        $grants[] = "(gid = $gid AND realm = '$realm')";
      }
    }

    $grants_sql = '';
    if (count($grants)) {
      $grants_sql = 'AND (' . implode(' OR ', $grants) . ')';
    }

    $sql = "SELECT 1 FROM {node_access} WHERE (nid = 0 OR nid = %d) $grants_sql AND grant_$op >= 1";
    $result = db_query_range($sql, $node->nid, 0, 1);
    return (bool) db_result($result);
  }

  // Let authors view their own nodes.
  if ($op == 'view' && $account->uid == $node->uid && $account->uid != 0) {
    return TRUE;
  }

  return FALSE;
}