This may be a fun debate with agentrickard. I think our node grant system sucks. Before we try and re-make it work across all entities I'd like to call to question if we even need the grant system anymore. My belief is that any node or entity access module knows how best to handle their own records rather than trying to 'fit' into the limitations of the core grant functionality. Therefore, any node or entity access module should either be using hook_node/entity_access() for individual nodes and using hook_query_node/entity_access_alter() for listings. Having the grant system as the 'last resort' creates more complexity in core where as it should just be handled in the access modules themselves if they can't use the existing two access hook methods.
Comments
Comment #1
Crell CreditAttribution: Crell commentedFor anything other than list queries, I agree with you. All single-object checks already belong in hook_node_access(). For list operations, I am not yet convinced. I would like to be convinced, however.
One challenge is that node_access is already iffy on non-SQL backends. I am not sure how that even works with EFQ right now, other than saying "other backends, good luck, it's your job."
Comment #2
agentrickardI would counter that core needs a more consistent API for access, and cowboy_node_query_alter() probably doesn't qualify.
It's hard enough to find node access conflicts now, largely because hook_node_access means that any module (or theme!!!) can disrupt expected behavior. Add to that the fact that it is simply not possible to return an accurate list of all content editable by user X, and I would say: Yes, node grants is flawed, but it needs to be replaced by a more robust core API instead of being left to contrib.
Discuss.
Comment #3
Dave ReidPart of the problem is that the node grant hooks do not get *any* context from the actual query being performed aside from 'op' and 'account'. It's impossible to do something like the following query and have the nodes filtered by a specific domain rather than whatever the 'current' context is. This is a recurring problem not just in Domain module.
Comment #4
geek-merlinso an entity access system must
this should already work with EntityFieldQuery and hook_entity_query_alter... IF the query carries enough info in tags and metadata.
so then: what conventions about tags and metadate would we need the query caller to obey...?
Comment #5
agentrickardSee also the discussion at #1284492: Revision or property based access regarding FieldAPI, revisions and properties wrt access rules.
Comment #6
cosmicdreams CreditAttribution: cosmicdreams commented@Dave Reid: Why does the grant system suck again?
Can you point me to documentation explaining the architecture the system is based on? I haven't been able to find it.
Comment #7
Crell CreditAttribution: Crell commentedThat is part of the reason many people don't like it. :-)
Comment #8
agentrickardhttp://api.drupal.org/api/drupal/modules--node--node.module/group/node_a...
See also chapter 9 of Drupal 7 Module Development. (SHAMELESS PLUG!)
Comment #9
cosmicdreams CreditAttribution: cosmicdreams commentedAwesome, I have that book. On my reading list.
Comment #10
geek-merlinPROPOSAL:
for nodes in the database this already works using
* hook_query_alter() (for node listings) and
* hook_node_access() (for individual nodes).
there is a proof of concept from webchick which i promoted to a full module: http://drupal.org/project/nodetype_access
we might carry this over to entities:
* hook_entity_query_alter() is there for us and seems to work like a charm. i implemented a proof of concept in said module.
* hook_entity_access() should be added - see #1382252: Implement hook_entity_access()
here for convenience some code links:
* nodetype_access.module
* readme
* how to use hook_entity_query_alter()
Comment #11
sinasalek CreditAttribution: sinasalek commentedI also never liked the node access system, it's very slow.
As axel.rutz mentioned hook_entity_query_alter can take care of that quite easily and the good thing is it's compatible with no-sql backends as well. As you all know using EFQ is quite straightforward so if a particular modules want to add additional access checks it's much easier using EFQ altering comparing to grant system plus there is no need to rebuild the permission which is a very time consuming task for large website.
Regarding conflict, when several modules try to apply their own restrictions there is one problem.
If a module adds or condition all the other restrictions will be bypassed! however since EFQ currently does not support "Or" we don't have to be worried about that right know :) It's kinda similar to the problem we've had with Drupal 6 access control
Can't think of any generic solution for this right now.
Comment #12
agentrickardSee the more recent debate at #1819726: Move node access code into a pluggable class
Comment #18
geek-merlinI hope this will finally be done gracefully in #777578-179: Add an entity query access API and deprecate hook_query_ENTITY_TYPE_access_alter().
Comment #19
apadernoDoes that mean it's a duplicate issue?
Comment #21
apaderno