1. drupal
    1. 5
    2. 6
    3. 7
    4. 8
5 node_access($op, $node = NULL)
6 – 8 node_access($op, $node, $account = NULL)

Determine whether the current user may perform the given operation on the specified node.


$op The operation to be performed on the node. Possible values are:

  • "view"
  • "update"
  • "delete"
  • "create"

$node The node object on which the operation is to be performed, or node type (e.g. 'forum') for "create" operation.

$account Optional, a user object representing the user for whom the operation is to be performed. Determines access for a user other than the current user.

Return value

TRUE if the operation may be performed, FALSE otherwise.

Related topics

▾ 18 functions call node_access()

book_block_view in modules/book/book.module
Implements hook_block_view().
book_node_view_link in modules/book/book.module
Inject links into $node as needed.
comment_file_download_access in modules/comment/comment.module
Implements hook_file_download_access().
forum_menu_local_tasks_alter in modules/forum/forum.module
Implements hook_menu_local_tasks_alter().
hook_file_download_access in modules/file/file.api.php
Control download access to files.
NodeAccessUnitTest::assertNodeAccess in modules/node/node.test
Asserts node_access correctly grants or denies access.
node_admin_nodes in modules/node/
Form builder: Builds the node administration overview.
node_file_download_access in modules/node/node.module
Implements hook_file_download_access().
node_form in modules/node/
Generate the node add/edit form array.
node_preview in modules/node/
Generate a node preview.
node_revision_overview in modules/node/
Generate an overview table of older revisions of a node.
theme_node_recent_block in modules/node/node.module
Returns HTML for a list of recent content.
translation_node_overview in modules/translation/
Overview page for a node's translations.
translation_node_prepare in modules/translation/translation.module
Implements hook_node_prepare().
_book_outline_access in modules/book/book.module
Menu item access callback - determine if the outline tab is accessible.
_node_add_access in modules/node/node.module
_node_revision_access in modules/node/node.module
_translation_tab_access in modules/translation/translation.module
Menu access callback.


modules/node/node.module, line 2830

function node_access($op, $node, $account = NULL) {
  $rights = &drupal_static(__FUNCTION__, array());

  if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) {
    // If there was no node to check against, or the $op was not one of the
    // supported ones, we return access denied.
    return FALSE;
  // If no user object is supplied, the access check is for the current user.
  if (empty($account)) {
    $account = $GLOBALS['user'];

  // $node may be either an object or a node type. Since node types cannot be
  // an integer, use either nid or type as the static cache id.

  $cid = is_object($node) ? $node->nid : $node;

  // If we've already checked access for this node, user and op, return from
  // cache.
  if (isset($rights[$account->uid][$cid][$op])) {
    return $rights[$account->uid][$cid][$op];

  if (user_access('bypass node access', $account)) {
    $rights[$account->uid][$cid][$op] = TRUE;
    return TRUE;
  if (!user_access('access content', $account)) {
    $rights[$account->uid][$cid][$op] = FALSE;
    return FALSE;

  // We grant access to the node if both of the following conditions are met:
  // - No modules say to deny access.
  // - At least one module says to grant access.
  // If no module specified either allow or deny, we fall back to the
  // node_access table.
  $access = module_invoke_all('node_access', $node, $op, $account);
  if (in_array(NODE_ACCESS_DENY, $access, TRUE)) {
    $rights[$account->uid][$cid][$op] = FALSE;
    return FALSE;
  elseif (in_array(NODE_ACCESS_ALLOW, $access, TRUE)) {
    $rights[$account->uid][$cid][$op] = TRUE;
    return TRUE;

  // Check if authors can view their own unpublished nodes.
  if ($op == 'view' && !$node->status && user_access('view own unpublished content', $account) && $account->uid == $node->uid && $account->uid != 0) {
    $rights[$account->uid][$cid][$op] = TRUE;
    return TRUE;

  // If the module did not override the access rights, use those set in the
  // node_access table.
  if ($op != 'create' && $node->nid) {
    if (module_implements('node_grants')) {
      $query = db_select('node_access');
      $query->condition('grant_' . $op, 1, '>=');
      $nids = db_or()->condition('nid', $node->nid);
      if ($node->status) {
        $nids->condition('nid', 0);
      $query->range(0, 1);

      $grants = db_or();
      foreach (node_access_grants($op, $account) as $realm => $gids) {
        foreach ($gids as $gid) {
            ->condition('gid', $gid)
            ->condition('realm', $realm)
      if (count($grants) > 0) {
      $result =  (bool) $query
      $rights[$account->uid][$cid][$op] = $result;
      return $result;
    elseif (is_object($node) && $op == 'view' && $node->status) {
      // If no modules implement hook_node_grants(), the default behaviour is to
      // allow all users to view published nodes, so reflect that here.
      $rights[$account->uid][$cid][$op] = TRUE;
      return TRUE;

  return FALSE;