module-based multiple node_access?
I had a notion the other day of a module to bypass node_access. It seems if you had a module with a very heavy weight and hook_node_access_records, it could fire after all the other hook_node_access_records calls. Then it could:
- Copy all the other modules' node_access records into a table of its own with the same structure as node_access.
- Set all the other modules' node_access records to DENY for everything.
Then when node_access fires, it could execute arbitrary logic to set its own grants for view, update, and delete based on the other modules' stored settings. Since core uses and OR, all the other entries would be effectively bypassed since they've been set to DENY, and only this module's logic would have an effect.
Might this avoid a core hack? Could it be a way for OG, domain, and workflow permissions to exist on one install? It would have to be restricted to superadmins most likely, because you'd have to write a bit of logic up for each of the grants based on all the node_access-enabled modules on the install. If it works in concept, you could establish a sort of cookbook for different module combinations.
Performance?
On a large site, woudn't there be a significant performance issue in, what I think I understand, continually re-writing and copying the node access table? Don't know for sure, but just wondering.
The thought was that you'd
The thought was that you'd only make copies and modifications for the node being worked on. Working on a single node it wouldn't be a huge hit (about twice as much work from a node access perspective). I think the time it would be most significant would be doing a post setting rebuild; that would be the only time the whole table would have to be rewritten.
ACL
There is an ACL module that tries to do this.
Really, the best way for something like this is to implement hooks that pass-by-reference various node grants. Domain does this now, providing an API hook so that other modules can alter its default behavior.
See http://drupal.org/node/196922 for the ongoing debate about the best approaches to this issue.
Dave Cohen suggests passing values via hook, by reference, at http://drupal.org/node/196922#comment-814752
--
http://ken.therickards.com/
I totally agree there are
I totally agree there are better ways to handle this problem, but they all seem to require some modifications to core, or require existing modules to implement new hooks. The advantages I can see this method having are no need to hack core, and the ability to really refine how all the access permissions interact. The trade-offs are performance and complexity; you're essentially assuming responsibility for all node_access rights in one module.
I will read up some more on node_access some more and try to present a concept module, or at least report back if it doesn't work.
ACL
ACL is the concept module that you describe. No need to reinvent it.
http://drupal.org/project/acl
But the core system really needs love, so the patch and discussion mentioned above are worth your time.
--
http://ken.therickards.com/