--- /dev/null
+/**
+ * Implements hook_node_grants_alter().
+ */
+function {{ machine_name }}_node_grants_alter(&$grants, \Drupal\Core\Session\AccountInterface $account, $op) {
+ // Our sample module never allows certain roles to edit or delete
+ // content. Since some other node access modules might allow this
+ // permission, we expressly remove it by returning an empty $grants
+ // array for roles specified in our variable setting.
+
+ // Get our list of banned roles.
+ $restricted = \Drupal::config('example.settings')->get('restricted_roles');
+
+ if ($op != 'view' && !empty($restricted)) {
+ // Now check the roles for this account against the restrictions.
+ foreach ($account->getRoles() as $rid) {
+ if (in_array($rid, $restricted)) {
+ $grants = [];
+ }
+ }
+ }
+}