/** * Set permissions for a node to be written to the database. * * When a node is saved, a module implementing hook_node_access_records() will * be asked if it is interested in the access permissions for a node. If it is * interested, it must respond with an array of permissions arrays for that * node. * * Node access grants apply regardless of the published or unpublished status * of the node. Implementations must make sure not to grant access to * unpublished nodes if they don't want to change the standard access control * behavior. Your module may need to create a separate access realm to handle * access to unpublished nodes. * * Note that the grant values in the return value from your hook must be * integers and not boolean TRUE and FALSE. * * Each permissions item in the array is an array with the following elements: * - 'realm': The name of a realm that the module has defined in * hook_node_grants(). * - 'gid': A 'grant ID' from hook_node_grants(). * - 'grant_view': If set to 1 a user that has been identified as a member * of this gid within this realm can view this node. This should usually be * set to $node->isPublished(). Failure to do so may expose unpublished content * to some users. * - 'grant_update': If set to 1 a user that has been identified as a member * of this gid within this realm can edit this node. * - 'grant_delete': If set to 1 a user that has been identified as a member * of this gid within this realm can delete this node. * - langcode: (optional) The language code of a specific translation of the * node, if any. Modules may add this key to grant different access to * different translations of a node, such that (e.g.) a particular group is * granted access to edit the Catalan version of the node, but not the * Hungarian version. If no value is provided, the langcode is set * automatically from the $node parameter and the node's original language (if * specified) is used as a fallback. Only specify multiple grant records with * different languages for a node if the site has those languages configured. * * A "deny all" grant may be used to deny all access to a particular node or * node translation: * @code * $grants[] = array( * 'realm' => 'all', * 'gid' => 0, * 'grant_view' => 0, * 'grant_update' => 0, * 'grant_delete' => 0, * 'langcode' => 'ca', * ); * @endcode * Note that another module node access module could override this by granting * access to one or more nodes, since grants are additive. To enforce that * access is denied in a particular case, use hook_node_access_records_alter(). * Also note that a deny all is not written to the database; denies are * implicit. * * @param \Drupal\node\NodeInterface $node * The node that has just been saved. * * @return * An array of grants as defined above. * * @see hook_node_access_records_alter() * @ingroup node_access */ function hook_node_access_records(\Drupal\node\NodeInterface $node) { // We only care about the node if it has been marked private. If not, it is // treated just like any other node and we completely ignore it. if ($node->private->value) { $grants = array(); // Only published Catalan translations of private nodes should be viewable // to all users. If we fail to check $node->isPublished(), all users would be able // to view an unpublished node. if ($node->isPublished()) { $grants[] = array('realm' => 'example', 'gid' => 1, 'grant_view' => 1, 'grant_update' => 0, 'grant_delete' => 0, 'langcode' => 'ca'); } // For the example_author array, the GID is equivalent to a UID, which // means there are many groups of just 1 user. // Note that an author can always view his or her nodes, even if they // have status unpublished. if ($node->getOwnerId()) { $grants[] = array('realm' => 'example_author', 'gid' => $node->getOwnerId(), 'grant_view' => 1, 'grant_update' => 1, 'grant_delete' => 1, 'langcode' => 'ca'); } return $grants; } }