7.1. Respecting the Access System
Drupal's access system is based on a single database table—node_access—and two major access functions—db_rewrite_sql and node_access. As its name implies, db_rewrite_sql takes a query and modifies it—rewrites it—to include the proper conditions to limit which pieces of content a user can see. The node_access function is both a wrapper around the data in the node_access database table and a method to invoke hooks in modules that define nodes to check them for any access restrictions.
Drupal's node access system is a system of grants rather than a system of prevention. If one module grants permission to access a piece of content and another does not, then the user is allowed to see the content.
Several permissions from the permission system impact the behavior of node access. Any users with the administer nodes permission always have access to all nodes on a site. Users without the access content permission will never see a node on a site. So the node access system deals only with users who have the access content permission and not the administer nodes permission. Permissions from node modules themselves like "edit own blog" or "create forum topics" take precedence over the node access system.
7.1.1. Modifying Queries for Access: db_rewrite_sql
Node access is a big topic, and it can be hard to break into chunks. By the end of the chapter, you should have a complete picture, but some of the individual pieces may not make sense on their own. Just ...