Drupal 8 Node

 

For many Drupal web sites setting permissions for anonymous, authenticated, and admin users through the GUI is sufficient. For example, all published content should be visible to all users, authenticated users can leave comments, and admin users are allowed to create content. For more advanced use cases the popular contributed module Content Access (beta for Drupal 7, dev for Drupal 8) allows much finer grained control over read and write access to nodes by content type, and can even specify access differently for individual nodes.

Embed
  • In Drupal 8, you can't use hookformFORMIDalter to handle both node creation and node editing forms for nodes of a given type. Search Drupal 8.2.x Function, class, file, topic, etc.
  • I have a need to remove all nodes of the same type in Drupal 8 (there are over 7k of nodes). It wouldn't be a problem for Drupal 7 (DB query + nodedelete or nodedeletemultiple would have solved my issue). However, D8 is slightly different:) Please, advice, how can I do it. Thanks in advance!
  • Programmatically get all nodes from drupal 8. Ask Question Asked 2 years, 8 months ago. Active 2 years, 8 months ago. Viewed 10k times 2. I am trying to get all nodes of a certian type from drupal. I have tried many ways to achieve that, but maybe due to my lack of Drupal custom module programming experience I couldn't achieve my desire.

There are plenty of ways to create links when using Drupal 8 and I will share some of those ways in this post. The easiest way to create internal links is using Link:. View titlecallback DrupalnodeControllerNodeViewController::title Requirements node d+ entityaccess node.view method GET POST Options compilerclass DrupalCore. 8.8.x core/modules/node/node.modulenodeaccess The node access system determines who can do what to which nodes. In determining access rights for a node, DrupalnodeNodeAccessControlHandlerfirst checks whether the user has the 'bypass node access' permission. Users have unrestricted access to all nodes. User 1 will always pass this.

When even more complex permissions are needed many choose to implement hook_node_access(). Permissions management with hook_node_access() does have a few disadvantages:

  • Unwieldy implementations can cause considerable performance bottlenecks
  • Node operation links like View or Edit associated with node permissions aren’t automatically added or removed
  • Views queries are unaffected; content could be displayed to a user in a views block which they would otherwise not have access to

Managing permissions with hook_node_access() works fine in many cases, but it’s not the most flexible way to manage access to your nodes.

Custom permissions with node access grants in Drupal 8

A more robust solution to complex permissions is to use the node access system with hook_node_access_records() and hook_node_grants(). Hook_node_access_records() is called when each node is saved. That’s where grants are setup to view, update, and/or delete a node. Hook_node_grants() is called to determine access and is what is used to check the node_access table.

The good news is node access grants work (almost) exactly the same in Drupal 8 as in 7.

Drupal

When researching how to implement node grants, I had come across relatively simple examples where access was based on a user’s role or organic groups properties. Since the user object is passed to hook_node_grants(), it’s trivial to determine which user should get access. But, what if access to view or edit a node is based on a combination of factors? This was the situation I recently had to deal with.

The implementation below creates a View grant for accounts that meet a specific criteria. The code for the actual criteria has been omitted. It also creates a full access grant for administrators using a zero as the grant id -- not to be confused with the UID associated with anonymous users.

Above is part of a hook_node_access_records() implementation. The node_access tables store:

  • Node id: The unique node identifier.
  • Realm: A string that can be whatever you want. This can be useful to group different kinds of access; using the modulename is typical.
  • Grant id: An integer value often used to group access. If for example some users can only read the node, and others can read, update, and delete, you might use 0 and 1 for these two sets of users. In our case there are a small number of users who should have read access and this is determined by code based on multiple factors. For this reason we set a grant for each user using the user id.
  • Grant_view, grant_update, grant_delete: Use 0 for no access, 1 for access.
  • Langcode: Language code.

Below is the hook_node_grants() implementation. This is called each time access to a node needs to be determined; so the simpler the code, the better. If the node_access table has an entry for the node id being accessed, permissions with the matching value for realm and grant id will be granted. First the account is checked for the administrator role, and the grant id 0 is returned if there’s a match. If not, and if the user isn’t anonymous, the function returns a grant with the user’s id. If there’s a match in the table, access will be granted based on the values for read, update, or delete. If this grant doesn’t match an entry in the table, access will be denied. Finally, if the user is anonymous an empty array will be returned, denying access.

Implications of custom node access grants

One of the limitations of implementing custom node access grants is the effect on database queries. If the current user does not have access to a particular node it won’t be included in query results. This makes sense for Views since you wouldn’t want to display nodes a user shouldn’t have access to. However, if in code you need to query nodes in the background, the query is limited to those the current user can access. If for some reason a view should ignore access checks, that’s configurable with the 'Disable SQL rewriting' option in the Views GUI.

For queries in code, starting in Drupal 7.15 the syntax for disabling access checks while performing a query is below:

in Drupal 8 the same thing is accomplished with:

Using node access grants isn’t always necessary to manage your permissions, but it allows for more complexity than many contributed modules and is more efficient than many custom hook_node_access() implementations.

CodeDrupalDrupal 8Drupal Planet

Read This Next

Operations Skip to footer

View the discussion thread.

Drupal 8 brought along with it many notable features which have made it easier to use and develop for the platform. One such feature was the incorporation of RESTful web services in Drupal 8 core for API calls. Using RESTful web services, a host of possibilities for customization of the platform open up; not to mention that these web services are the underlying principles which enable the concept of ‘headless Drupal’. In this post, I’ll start by performing a very basic Drupal function using these web services, i.e. creating a node.

Enable Modules

Start by enabling the following 4 core modules in Drupal:

Drupal 8 nodeForm
  • HAL;
  • HTTP Basic Authentication;
  • RESTful Web Services;
  • Serialization.

Download the REST UI module as well, since it allows changing permissions and settings through a simple GUI, negating the need to go into the rest.settings.yml file in order to do the same changes.

Create User and Set Permissions

I’m now going to create a new authenticated user for the site. I’ll be doing this to teach you the kind of permissions that need to be set. Note that if you log in as an admin, all the following permissions will already be enabled.

Now, create a new user and navigate to admin/configuration/web services/REST. Click edit for the content row, since that’s what we will be doing in this article, and then set the permissions as shown in the screenshot below:

Now I’ll set proper permissions for our new authenticated user in order to let the user create, edit and delete content. I do this by navigating to admin/people/permissions. Set the following permissions:

  • Basic Page: Create new content
  • Basic Page: Delete own content
  • Basic Page: Edit own content

Get User’s Token

Before we start creating a node, we need to get our new user’s token in order to pass authentication. This can be done by testing API calls. For testing API calls, I’ll use the Restlet Client – Rest API Testing extension for Chrome. Of course, if you prefer some other method, feel free to use that one instead.

Now, to test my API calls and get the new user’s token, I’ll first log out of my site as an admin and log in with the new user account. Now, I’ll simply copy the URL of my site, add rest/session/token at the end of it and paste it in the Restlet client’s URL field. Next, I’ll select the ‘GET’ method from the dropdown and send the URL to get the token from the body field. Here’s a screenshot from an earlier call:

Create Node and Test API Call

Now that I’ve got my unique token, I can start creating a node. To do so, the POST method is used to POST the entity/node, and the content-type should be set to application/hal+json. The title and type fields should be declared in the body field like this:

{

“_links”:{

“type”:{

“href”:”http://example.com/rest/type/node/page”

}

},

“title”:[

{

“value”:”My first page”

}

]

Drupal 8 Node Presave

}

The following headers have to be added for this call:
Content-Type : application/hal+json
X-CSRF-Token : ‘The token that we got from the previous step.’

Click ‘Add authorization’ and enter the credentials of the authenticated user to add authentication if required.

This is what it should look like before firing the API call:

Next, go to your Drupal site and navigate to admin/content. Check to see if the node you created is visible on your site. If it’s there, your API call works.

Drupal 8 Node Access

Conclusion

That’s it! You’ve successfully created your first Drupal node using RESTful web services. Note that this is a very basic function of RESTful web services intended to give a demo of the feature.

Drupal 8 Node Embed

Having trouble with your Drupal project? Stuck with customizing your Drupal site to your own liking? Lay aside your worries and hand them over to us at Agiledrop.