Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If anybody is trying to achieve this in Drupal 8, then here's a custom module you can tweak according to your needs. This implementation grants access to the node ONLY IF the logged in user is referenced through the field attached to the node, all other users are denied access.
user_access_restrictions.info.yml
name: User access restrictions
description: Restricts access to CONTENT_TYPE nodes if user is not referenced.
package: Custom
type: module
core: 8.x
user_access_restrictions.module
use Drupal\Core\Access\AccessResult;
function user_access_restrictions_node_access(\Drupal\node\NodeInterface $node, $op, \Drupal\Core\Session\AccountInterface $account) {
if ($node->bundle() == 'CONTENT_TYPE') {
$users = $node->get('REFERENCE_FIELD_NAME')->getValue();
if (!empty($users)) {
foreach ($users as $user) {
if ($user['target_id'] == $account->id()) {
return AccessResult::allowed()->cachePerUser()->cacheUntilEntityChanges($node);
}
}
}
return AccessResult::forbidden()->cachePerUser()->cacheUntilEntityChanges($node);
}
return AccessResult::neutral();
}
Notes: CONTENT_TYPE signifies the content type machine name that has the reference field in question, REFERENCE_FIELD_NAME signifies the machine name of the user referencing field (e.g. "field_user_reference").
Comments
Comment #2
minff CreditAttribution: minff commentedComment #3
marcoscanoYou might want to replace the deprecated
cacheUntilEntityChanges()
method by:Comment #4
marcoscanoAlso, the line:
is probably a bug, because it will prevent other modules from granting access to a given user, if the user is not referenced in that field. You should leave only either the
::allowed()
or the::neutral()
returns, unless you have a real reason for denying the access to the user no matter all other site contexts and permissions.Comment #5
kiwad CreditAttribution: kiwad commentedworks well
might worth also noting that this code gives view/update/delete access to referenced user, so you might want to use something like
Comment #6
MrPeanut CreditAttribution: MrPeanut commentedI am looking to give update access to referenced users and view access for all users. With changes from #3 and #4, I have the following:
I'm not sure where to put
if ($op == 'view' || $op == 'update')
and if that will give all users view access.Comment #7
avogler CreditAttribution: avogler commentedAre there any plans to port this module to 8.x?
Comment #8
colanIt sounds like we can deprecate this module in favour of Access by Reference for Drupal 8.
Comment #9
hansrossel CreditAttribution: hansrossel commentedThere are some other similar modules for Drupal 8
- Permissions by field
- Reference Access
Comment #10
marksmith CreditAttribution: marksmith commentedI think the modules mentioned cannot be regarded as viable alternatives to nodeaccess_userreference in many situations. Imagine the following use case:
A "Course assignment" content type should be visible only to author (= student, who can also edit / delete his content) and to particular users referenced via the fields field_teacher and field_mentor (users belong to 2 different user roles, but this is not a role based access as teacher and mentor can vary by assignment).
The same is true for a simple content type "Message", where you would need a created node to be visible only to users added to a user_reference field.
Comment #11
W01F CreditAttribution: W01F commentedJust wondering if there were any plans to port this, or if any other valid alternatives had emerged? I see the last comment was two years ago, so figured I'd gently inquire =)
Comment #12
gagarine CreditAttribution: gagarine as a volunteer commentedThis should be straightforward to port. The module is small and well made.
I don't need it for my project at the moment. But feel free to contact me in MP if you have a budget and need this to be ported. I need to check it a bit more in detail, but it should be around 1'000$. Be aware I'm living in Switzerland, so for sure someone can certainly do it for much cheaper.
Comment #13
AnybodyHi all,
as we didn't find a proper solution for this use case since the Drupal 7 modules (nodeaccess_nodereference & nodeaccess_userreference), we decided to create: https://www.drupal.org/project/entity_access_by_reference_field
as a general solution for such cases.
Feel free to have a look and help to push things forward :)