I have the following requirements:
- Users have (among others) "tier1", "tier2" or "tier3" roles. A higher value means more permissions and anonymous users are considered "tier0".
- Users of tier2 and tier3 can create a certain type of node: MyNode. And only these users can update and delete them.
- The node type MyNode contains the field (my custom) to restrict access: it is a simple integer. 0 means that all users can access it, 1 means that users of level 1-3 can access it, etc.
What is the correct way to implement the node restriction?
What I tried and a longer description of the problem
After searching Google and reading the documentation, I found hook_entity_access. I will simply read all the fields and if I found my type of access field, I read the value and managed it. It worked quite well to view, edit and delete. But not for opinions, they completely ignored that.
After searching a little more on Google, I discovered that hook_entity_access / hook_node_access is ignored in the views as explained in the node access rights. This page also explains that this problem must be resolved using hook_query_TAG_alter, however, I cannot understand how it should be used. I think I'm missing a bigger image and I couldn't google it. But I found another solution: use hook_node_access_records with hook_node_grants. I implemented this solution (with a tutorial help).
Therefore, each instance of MyNode provides a grant based on the value of the field, e.g. gid 2 means that level 2-3 can access the node. Each user receives subsidies based on their level function, p. the user with level 1 receives subsidies with gid 1, 2 and 3. This fixed view problem, but caused another: if I set the access of a node to 3, users of level 0-2 cannot see it (that's right) , but the user of level 2 can Edit that is a problem)
After some tests, it seems that permissions are handled differently to view and update / delete. Permission view permissions are AND-ed with a basic permission system (/ admin / people / permissions), but update / delete permissions are OR-ed. I used the basic permission system to determine which roles can generally create, update and delete MyNode nodes.
So, my current solution is the fusion of both approaches: granting system for views and hook_node_access to work with nodes directly. However, it seems a rather dirty and hacky solution: I practically implemented the same thing twice in different systems, because each system can only handle a subset of all operations. So, my question is: what is the proper implementation? What is correct Drupal-way?
Note: of course, I looked at the modules to solve this. I rejected most of them, because they are still in alpha / beta / rc phase, while the life of D8 is ending. How long would I have to wait for D9 implementation? Others were too bloated to "simple" "compare the numerical value with the role and accept / reject."