Index: module_grants.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/module_grants/module_grants.module,v
retrieving revision 1.30
diff -u -p -r1.30 module_grants.module
--- module_grants.module	22 Jul 2009 03:54:27 -0000	1.30
+++ module_grants.module	23 Oct 2009 23:36:44 -0000
@@ -621,6 +621,71 @@ function grants_by_module($op, $account,
 }
 
 /**
+ * Implementation of hook_db_rewrite_sql
+ *
+ * Similar to node_access_db_rewrite_sql() in node.module but ANDs rather than ORs grants
+ * together on a per module base to create more natural behaviour.
+ */
+function module_grants_db_rewrite_sql($query, $primary_table, $primary_field) {
+  $or_modules = variable_get('module_grants_OR_modules', FALSE);
+  if (!$or_modules) {
+    if ($primary_field == 'nid' && !node_access_view_all_nodes()) {
+      $return['where'] = _module_grants_node_access_where_sql();
+      return $return;
+    }
+  }
+}
+
+/**
+ * Generate an SQL where clause for use in fetching a node listing. 
+ *
+ * Similar to _node_access_where_sql() in node.module but ANDs rather than ORs grants
+ * together on a per module base to create more natural behaviour.
+ *
+ * @param $op
+ *   The operation that must be allowed to return a node.
+ * @param $node_access_alias
+ *   If the node_access table has been given an SQL alias other than the default
+ *   "na", that must be passed here.
+ * @param $account
+ *   The user object for the user performing the operation. If omitted, the
+ *   current user is used.
+ * @return
+ *   An SQL where clause.
+ */
+function _module_grants_node_access_where_sql($op = 'view', $node_access_alias = 'na', $account = NULL) {
+  global $user;
+  
+  if (user_access('administer nodes')) {
+    return;
+  }
+  
+  if (empty($account)) {
+    $account = $user;
+  }
+  $all_grants = grants_by_module($op, $account);
+
+  $grants = array();
+  foreach ($all_grants as $module => $module_grants) {
+    $lenient_subquery = '';
+    if (variable_get('module_grants_lenient', TRUE)) {
+      $module_realms = array_keys(module_invoke($module, 'node_grants', $account, $op));
+      if (!empty($module_grants)) {
+        $lenient_subquery = "(SELECT COUNT(1) FROM {node_access} nasq WHERE $node_access_alias.nid = nasq.nid AND realm IN ('". implode("','", $module_realms) ."')) = 0 OR ";
+      }
+    }
+    $grants[] = "(" . $lenient_subquery . "$module_grants)";
+  }
+
+  $grants_sql = '';
+  if (count($grants)) {
+    $sql = implode(' AND ', $grants);
+  }
+  
+  return $sql;
+}
+
+/**
  * Retrieve a list of nodes or revisions accessible to the logged-in user via
  * the supplied operation.
  *
