Drupal has some interesting ways to control access for content. I was forced to learn about all of them to be able to implement a custom security widget. Once you know how everything fits into each other it is fun to work with, but it took me more effort than I expected. I bumped into many walls. This is why I like to guide you through this proccess.
I will talk about all the wrong paths I took to get where I had to be. This way I will cover multiple use cases. If you are a developer and want to know more about security, this could be an interesting session for you.
The main topics I will talk about are node_access and node_grants. I also added a custom layer for my project. If you know more about this it could be fun to open a discussion about different implementations.
why this subject\ncustom security widget\nspaces\n
first concept\nuser_access\nroles\npermissions\n
\n
demo\nex: comments\n
defined by modules\nimplemented by modules\ndemo\n
fetch permissions\ncheck role current user\nuser 1\n
second mechanism, actually two in one\nnode access function in node.module\npermissions\nhooks\ngrants : simple but hard to explain\n
access to what??\nview/create/update/delete => node_access\nlist => grants\ncreate: node type\n
use node_access() function\nlets go through the flow\n
cfr permissions admin page\nuser_access return TRUE for user 1\n
6 - Only implemented by module of content type\n7 - Much much more flexible\nhook_node_access is triggered\n
Implement hook_node_access\nargs($node, $op, $account)\nflexible but at runtime -> performance\n3 return values\nFALSE will brake other modules\nex: age check\ncheck custom created permissions\nex: domain\n
implementation of hook_node_access of node.module\nchecks permissions\n
check permissions\ncheck if node is your own + check permissions\n
same as update\n
after hook_node_access \nanother permissions\ncheck if content is yours\n
Are grants implemented?\nNot only for lists\nTop of the iceberg -> table node_access\n