Skip navigation


7 node.api.php hook_node_access($node, $op, $account)

Control access to a node.

Modules may implement this hook if they want to have a say in whether or not a given user has access to perform a given operation on a node.

The administrative account (user ID #1) always passes any access check, so this hook is not called in that case. Users with the "bypass node access" permission may always view and edit content through the administrative interface.

Note that not all modules will want to influence access on all node types. If your module does not want to actively grant or block access, return NODE_ACCESS_IGNORE or simply return nothing. Blindly returning FALSE will break other node access modules.

More on the node access system


$node: The node on which the operation is to be performed, or, if it does not yet exist, the type of node to be created.

$op: The operation to be performed. Possible values:

  • "create"
  • "delete"
  • "update"
  • "view"

$account: A user object representing the user for whom the operation is to be performed.

Return value

NODE_ACCESS_ALLOW if the operation is to be allowed; NODE_ACCESS_DENY if the operation is to be denied; NODE_ACCESS_IGNORE to not affect this operation at all.

Related topics

1 function implements hook_node_access()

1 invocation of hook_node_access()


drupal/modules/node/node.api.php, line 593
Hooks provided by the Node module.


function hook_node_access($node, $op, $account) {
  $type = is_string($node) ? $node : $node->type;

  if (in_array($type, node_permissions_get_configured_types())) {
    if ($op == 'create' && user_access('create ' . $type . ' content', $account)) {
      return NODE_ACCESS_ALLOW;

    if ($op == 'update') {
      if (user_access('edit any ' . $type . ' content', $account) || (user_access('edit own ' . $type . ' content', $account) && ($account->uid == $node->uid))) {
        return NODE_ACCESS_ALLOW;

    if ($op == 'delete') {
      if (user_access('delete any ' . $type . ' content', $account) || (user_access('delete own ' . $type . ' content', $account) && ($account->uid == $node->uid))) {
        return NODE_ACCESS_ALLOW;

  // Returning nothing from this function would have the same effect.