2 * Implements hook_query_TAG_alter().
4 function {{ machine_name }}_query_TAG_alter(Drupal\Core\Database\Query\AlterableInterface $query) {
5 // Skip the extra expensive alterations if site has no node access control modules.
6 if (!node_access_view_all_nodes()) {
7 // Prevent duplicates records.
9 // The recognized operations are 'view', 'update', 'delete'.
10 if (!$op = $query->getMetaData('op')) {
13 // Skip the extra joins and conditions for node admins.
14 if (!\Drupal::currentUser()->hasPermission('bypass node access')) {
15 // The node_access table has the access grants for any given node.
16 $access_alias = $query->join('node_access', 'na', '%alias.nid = n.nid');
17 $or = new Condition('OR');
18 // If any grant exists for the specified user, then user has access to the node for the specified operation.
19 foreach (node_access_grants($op, $query->getMetaData('account')) as $realm => $gids) {
20 foreach ($gids as $gid) {
21 $or->condition((new Condition('AND'))
22 ->condition($access_alias . '.gid', $gid)
23 ->condition($access_alias . '.realm', $realm)
28 if (count($or->conditions())) {
29 $query->condition($or);
32 $query->condition($access_alias . 'grant_' . $op, 1, '>=');